Manual Allied Telesis AT-S63

514 pages 2.66 mb

Download

Go to site of 514

Prev Next

Summary

Allied Telesis AT-S63 - page 1

613-000801 Rev. A Management Software AT-S63 ◆ Features Guide AT-S63 Version 2.2.0 for t he AT-9400 Layer 2+ Switches AT-S63 Version 3.0.0 for the AT-9400 Basic Layer 3 Switches ...
Allied Telesis AT-S63 - page 2

Copyright © 2007 Allied Telesis, Inc. All rights reserved. No part o f this pub lication may be repro duced without prior wr itten permission from Al lied Telesis, Inc. Microsoft and Internet Explorer are register ed trademarks of Microsoft Corporation. Ne tscape Navigator is a registered trademar k of Netscape Communications Corpora tion. All oth ...
Allied Telesis AT-S63 - page 3

3 Preface ........ ............. ................ ............. ............. ................ ............. ................ ............. ...... ....................... ...... 17 How This Guide is Organized .............. ................ ................ ............. ................ ................ ......... .... ............. ...... 18 Produ ...
Allied Telesis AT-S63 - page 4

Contents 4 Chapter 2: Enhanced Stacking ................. ............. ............. ................ ............. ................ ............. ................ 55 Supported Platform s ..... ................ ............. ............. ................ ............. ................ ............. ... ....................... ...... 56 Overview . ...
Allied Telesis AT-S63 - page 5

AT-S63 Management Software Features Guide 5 Chapter 10: Classifiers .............. ............. ................ ............. ................. ............ ................. ............ ............. . 109 Supported Platform s ............ ................ ............. ................ ............. ................ ............. ......... ... ...
Allied Telesis AT-S63 - page 6

Contents 6 Section III: Snooping Prot ocols ............ .............................................. .................... 173 Chapter 15: IGMP Sn ooping ............................ ............ ................. ............. ............ ................. ............ ........ 175 Supported Platform s ..... ................ ............. ..... ...
Allied Telesis AT-S63 - page 7

AT-S63 Management Software Features Guide 7 Chapter 21: Multiple Sp anning Tree Protocol ................ ................ ............. ................ ................ ............. . 225 Supported Platform s ............ ................ ............. ................ ............. ................ ............. ......... ................. .... ...
Allied Telesis AT-S63 - page 8

Contents 8 Chapter 26: MAC Address-ba sed VLANs ............. ............. ................ ............. ............. ................ ............. . 285 Supported Platform s ..... ................ ............. ............. ................ ............. ................ ............. ... ....................... .... 286 Overview ............ ...
Allied Telesis AT-S63 - page 9

AT-S63 Management Software Features Guide 9 Interface Monitoring ... ............. ................ ................ ................ ............. ................ .............. ......... ................ .... 342 Port Monitoring ....... ............. ................ ................ ............. ................ ............. ................ ...
Allied Telesis AT-S63 - page 10

Contents 10 Chapter 34: PKI Certific ates and SSL ................ ................ ............. ............. ................ ............. ................ . 397 Supported Platform s ..... ................ ............. ............. ................ ............. ................ ............. ... ....................... .... 398 Overview .... ...
Allied Telesis AT-S63 - page 11

AT-S63 Management Software Features Guide 11 IGMP Snooping ............ ................ ............. ................ ............. ................. ............ ............... ........... ................ . 452 Internet Protocol Version 4 Pack et Rout ing ......... ............. ................ ............. ................ ............. ... ...
Allied Telesis AT-S63 - page 12

Contents 12 Appendix D: MIB Objects ....... ................ ............. ............. ................ ............. ................ ............. ................ . 489 Access Control Lists ........ ............. ................ ................ ............. ................ ............. ............ ........... ............. .... 490 Class ...
Allied Telesis AT-S63 - page 13

13 Figure 1: Static Port Trunk Example ................... ........... .............. .............. .............. ........... ......... ... ........... ........... .............. .. 77 Figure 2: Example of Multiple Aggregators fo r Multiple A ggregate Trunks ........ ....................................... ......... ..... ........... .. 84 Figure ...
Allied Telesis AT-S63 - page 14

Figures 14 ...
Allied Telesis AT-S63 - page 15

15 Table 1: AT-9400 Switch Featur es ....................... .............. ......................... .............. .................. ..................... ................... 31 Table 2: Management Interfaces and Feat ures ............... ............................ ............................ ............ ............. ................... 36 ...
Allied Telesis AT-S63 - page 16

Tables 16 Table 50: Port Configuration and Status (AtiStackSwitc h MIB) ...................... ......................... .................. .......................503 Table 51: Spanning Tree (AtiStackSwi tch MIB) ........... ........ ........... .............. ....................... .............. . ................... ............ 504 Table 52: S ...
Allied Telesis AT-S63 - page 17

17 Pr eface This guide describes the feature s of the AT-9400 Layer 2+ and Basic Layer 3 Gigabit Ethernet Switches and the AT-S63 Management Software. This preface contains the f ollowing sections:  “How This Guide is Organized” on p a ge 18  “Product Documenta tion” on page 20  “Where to Go First” on p age 21  “S tarting ...
Allied Telesis AT-S63 - page 18

Preface 18 How This Guide is Organized This guide has the followi ng sections and chapters:  Section I: Basic Operations Chapter 1, “Overview” on p age 29 Chapter 2, “Enhanced S t acking” on page 55 Chapter 3, “SNMPv1 and SNMPv2c” on p age 65 Chapter 4, “MAC Address T able” on page 71 Chapter 5, “S t atic Port T runks” on pag ...
Allied Telesis AT-S63 - page 19

AT-S63 Management Software Features Guide 19  Section V : S panning T ree Protocols Chapter 20, “S p anning T ree and Rapid S panning T ree Protocols” on page 213 Chapter 21, “Multiple S p anning T ree Protocol” on p age 225  Section VI: V irtual LANs Chapter 22, “Port-based and T agged VLANs” on p age 247 Chapter 23, “GARP VLAN ...
Allied Telesis AT-S63 - page 20

Preface 20 Product Documentation For overview information on the feat ures of the AT-9400 Switch and the AT-S63 Management Sof tware, refer to:  A T -S63 Management Software Fea tures Guide (PN 613-000801) For instructions on starting a local or r emote management session, refer to:  S tarting an A T-S63 Management Session Guide (PN 613-00081 ...
Allied Telesis AT-S63 - page 21

AT-S63 Management Software Features Guide 21 Where to Go First Allied Telesis recommends that you rea d Chapter 1, “Overview” on page 29 in this guide before you begin to manage the switch for the first time. There you will find a variety of ba sic information about the unit and the management software, like the two levels of manager access le ...
Allied Telesis AT-S63 - page 22

Preface 22 Starting a Management Session For instructions on how to start a local or remote management session o n the AT-9400 Switch, refer to the Starting an AT-S63 Manag ement Session Guide . ...
Allied Telesis AT-S63 - page 23

AT-S63 Management Software Features Guide 23 Document Conventions This document uses the following convention s: Note Notes provide additional information. Caution Cautions inform you that perfo rmi ng or omitting a specific action may result in equipment damage or loss of data. Warning Warnings inform you that performin g or omitting a specific ac ...
Allied Telesis AT-S63 - page 24

Preface 24 Where to Find Web-based Guides The installation and user guides for all Allied Telesis products a re available in portable document format ( PDF) on our web site at www.alliedtelesis.com . You can view the documents online or download them onto a local workstation or server. ...
Allied Telesis AT-S63 - page 25

AT-S63 Management Software Features Guide 25 Contacting Allied Telesis This section provides Allied Telesis contact information for technica l support as well as sales and corporate information. Online Support You can request technical support onli ne by accessing the Allied Telesis Knowledge Base: http://kb.alliedteleisn.com . You can use the Know ...
Allied Telesis AT-S63 - page 26

Preface 26 ...
Allied Telesis AT-S63 - page 27

Section I: Basic Operations 27 Section I Basic Operations The chapters in this section contain backg round information on basic switch features. The chapters include:  Chapter 1, “Overview” on p age 29  Chapter 2, ”Enhanced S t acking” on page 55  Chapter 3, ”SNMPv1 and SNMPv2c” on p age 65  Chapter 4, ”MAC Address T able? ...
Allied Telesis AT-S63 - page 28

28 Section I: Basic Op erations ...
Allied Telesis AT-S63 - page 29

29 Chapter 1 Overview This chapter has the following sections:  “Layer 2+ and Basic Layer 3 Switches” on p age 30  “A T-S63 Management Software” on p age 35  “Management Interfaces and Features” on p age 36  “Management Access Methods” o n page 41  “Manager Access Levels” o n page 43  “Installation and Manage ...
Allied Telesis AT-S63 - page 30

Chapter 1: Ove rview 30 Layer 2+ and Basic Layer 3 Switches The switches in the AT-9400 Gigabit Ethernet Series a re divided into two groups:  Layer 2+ Switches – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Switches – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP The switches of the two groups of ...
Allied Telesis AT-S63 - page 31

AT-S63 Management Software Features Guide 31 T able 1. A T-9400 Switch Features Layer 2+ Switches (V ersion 2.2. 0) Basic Layer 3 Switches (V ersion 3.0. 0) St a c k 1 12345678 - Basic Op erations L o c a l m a n a g e m e n t YYYYYYYY Y Remote T elnet management YYYYYYYY Y Remote Secure Shell management YYYYYYYY Remote web browser management YYYYY ...
Allied Telesis AT-S63 - page 32

Chapter 1: Ove rview 32 Q u a l i t y o f S e r v i c e YYYYYYYY D e n i a l o f s e r v i c e d e f e n s e s YYYYYYYY Snooping Protocols Internet Group Management Protocol (IGMP) snooping YYYYYYYY Multicast Listener Discovery (MLD) snooping YYYYYYYY Router Redundancy Protocol (RRP) snooping YYYYYYYY Ethernet Protection Switching Ring (EPSR) snoop ...
Allied Telesis AT-S63 - page 33

AT-S63 Management Software Features Guide 33 802.1Q-compliant and non-802.1Q-compliant multiple VLAN modes YYYYYYYY GARP VLAN Registration Protocol YYYYYYYY P r o t e c t e d p o r t s V L A N s YYYYYYYY MAC address-based VLANs YYYYY Internet Protocol Routing Internet Protocol version 4 packet routing YYYYY One routing interface 4 YYYYYYYY Y Virtua ...
Allied Telesis AT-S63 - page 34

Chapter 1: Ove rview 34 Remote Secure Shell management YYYYYYYY T ACACS+ and RAD IUS authentication YYYYYYYY Management access control list YYYYYYYY 1. Basic Layer 3 switches using version 3.0.0 of the management software and the A T-S tackXG S tacking Module. 2. The only accessible file system in a stack is on the master switch. 3. The master swit ...
Allied Telesis AT-S63 - page 35

AT-S63 Management Software Features Guide 35 AT-S63 Management Software The AT-9400 Switch is managed with the AT-S63 Management Software. The software comes preinstalled on the unit with default settings for all the operating parameters of the switch. If the default setting s are adequate for your network, you can use t he switch as an unmanaged u ...
Allied Telesis AT-S63 - page 36

Chapter 1: Ove rview 36 Management Interfaces and Features The AT-S63 Management Software has t hree management interfaces:  Menus interface  Command line interface  Web browser interface You can use the menus and command line in terfaces from a local management session through the Terminal Port on the switch or re motely with a Telnet or ...
Allied Telesis AT-S63 - page 37

AT-S63 Management Software Features Guide 37 Enhanced st acking Y Y Y SNMPv1 and SNMPv2 community strings YYY Port parameters Y Y Y Port statistics Y Y Y MAC address table Y Y Y S tatic MAC addresses Y Y Y S tatic port tru nks Y Y Y Link Aggregation Control Protocol (LACP) trunks YY Port mirroring Y Y Y Baud rate of the T erminal Port Y Y Managemen ...
Allied Telesis AT-S63 - page 38

Chapter 1: Ove rview 38 Snooping Protocols Internet Group Management Protocol (IGMP) snooping YYY Multicast Listener Discovery (MLD) snooping YY Router Redundancy Protocol (RRP) snooping YY Ethernet Protection Switching Ring (EPSR) snooping Y SNMPv3 SNMPv3 Y Y Y Sp anning T ree Protocols S panning T ree Protocol (STP) Y Y Y Rapid S panning T ree Pr ...
Allied Telesis AT-S63 - page 39

AT-S63 Management Software Features Guide 39 Internet Protocol Routing Routing interfaces Y Y S tatic routes Y Routing Information Protocol (RIP) Y Address Resolution Protocol (ARP) table Y BOOTP and DHCP clients Y Y BOOTP relay agent Y Virtual Ro uter Redundancy Protocol Y Port Security MAC address-based port security Y Y Y 802.1x port-based netwo ...
Allied Telesis AT-S63 - page 40

Chapter 1: Ove rview 40 2. Y ou cannot upload or download files to a compact flas h card with the web browser interface. Also, the inter- face does not support sw itch-to-switch uploads. 3. Y ou cannot modify the event log full action from the web brow ser interface. 4. Y ou can view the encryption keys from the web brow ser interface, but you c an ...
Allied Telesis AT-S63 - page 41

AT-S63 Management Software Features Guide 41 Management Access Methods You can access the AT-S63 Manageme nt Software on the switch several ways:  Local session  Remote T elnet session  Remote Secure Shell (SSH) session  Remote web browser (HTTP or HTTPS) sessio n  Remote SNMP session Local Management Sessions You establish a local m ...
Allied Telesis AT-S63 - page 42

Chapter 1: Ove rview 42 Remote SNMP Management You can also remotely configure the switch using a Simple Network Management Protocol (SNMP) application, such as AT-View. This management method requires an understand ing of management information base (MIB) objects. The AT-S63 Management Software supp orts the following MIBs:  SNMP MIB-II (RFC 12 ...
Allied Telesis AT-S63 - page 43

AT-S63 Management Software Features Guide 43 Manager Access Levels The AT-S63 Management Software has two manager access levels of manager and operator. The manager access level lets you view and configure the operating parame ters, while the operator access level only lets you only view the parameters setting s. You log in by entering the appropri ...
Allied Telesis AT-S63 - page 44

Chapter 1: Ove rview 44 Installation and Management Configurations The AT-9400 Switches can be installed in three con figurations. Stand-alone Switch All the A T-9400 Switches can be in st alled and operated as managed or unmanaged, stan d-alone Gigabit Ether net switches. S tand-alone switches are managed by initiating a local or remote session on ...
Allied Telesis AT-S63 - page 45

AT-S63 Management Software Features Guide 45 Here are the main points of stacking:  The A T-9400 Gigabit Ethernet Switches operate as a sin gle, logical unit where functions such as port trunks and port mirrors, ca n span all of the devices in the st ack.  The switches are managed as a unit.  The switches share a co mmon MAC address t able ...
Allied Telesis AT-S63 - page 46

Chapter 1: Ove rview 46 IP Configuration Do you intend to remotely manag e the switch with a Telnet or Secure Shell client, or a web browser? Or, will the man agement software be accessing application servers on yo ur network, like a Simple Network Network Time Protocol server fo r setting its date and time, or a TFTP server for uploading or downlo ...
Allied Telesis AT-S63 - page 47

AT-S63 Management Software Features Guide 47 Redundant Twisted Pair Ports Several AT-9400 Switches have twisted pair ports and GBIC or SFP slots that are paired together. The twisted pair ports are identified with the letter “R” for “Redundant” as part of their n umber on the front faceplate of the unit. The switch models with paired ports ...
Allied Telesis AT-S63 - page 48

Chapter 1: Ove rview 48 Note These guidelines do not apply to the SFP slots on the AT-9408LC/SP switch and the XFP slots o n the A T-9424T s/XP and AT-9448Ts/XP switches. ...
Allied Telesis AT-S63 - page 49

AT-S63 Management Software Features Guide 49 History of New Features The following sections contain the history of n ew features in the AT-S63 Management Software. Version 3.0.0 Table 4 lists the new features in version 3.0.0 of the AT-S63 Manag ement Software. T able 4. New Features in A T -S63 V ersion 3.0.0 Feature Change S tacking with the A T- ...
Allied Telesis AT-S63 - page 50

Chapter 1: Ove rview 50 Version 2.1.0 Table 5 lists the new features in version 2.1.0. Version 2.0.0 Table 6 lists the new feature in version 2.0.0 of the AT-S63 Management Software. T able 5. New Features in A T-S63 V ersion 2.1.0 Feature Change Internet Protocol version 4 pa cket routing Added the following new features:  Equal Cost Multi-path ...
Allied Telesis AT-S63 - page 51

AT-S63 Management Software Features Guide 51 Version 1.3.0 Table 7 lists the new features in version 1.3.0 of the AT-S63 Manag ement Software. T able 7. New Features in A T -S63 V ersion 1.3.0 Feature Change 802.1x Port-based Network Access Control Added the following new features:  Guest VLAN. For background information, see “Guest VLAN” on ...
Allied Telesis AT-S63 - page 52

Chapter 1: Ove rview 52 Version 1.2.0 Table 8 lists the new features in version 1.2.0. T able 8. New Features in A T-S63 V ersion 1.2.0 Feature Change MAC Address T able Added the following new parameters t o the CLI commands for displaying and deleting specific types of MAC addresses in the MAC address table:  ST A TIC, ST A T ICUNICAST , and, ...
Allied Telesis AT-S63 - page 53

AT-S63 Management Software Features Guide 53 802.1x Port-based Network Access Control Added a new parameter t o authenticator ports:  Supplicant Mode for supporting multiple supplicant accounts on an authenticator port. For background information, see “Authenticator Ports with Single and Multiple Supplicants” on p age 363. T able 8. New Feat ...
Allied Telesis AT-S63 - page 54

Chapter 1: Ove rview 54 ...
Allied Telesis AT-S63 - page 55

Section I: Basic Operations 55 Chapter 2 Enhanced S tacking This chapter contains the following sections:  “Supported Platforms” on p age 56  “Overview” on page 57  “Master and Slave Switches” on p age 58  “Common VLAN” on p age 59  “Master Switch and the Local Interface ” on page 60  “Slave Switches” on pa ...
Allied Telesis AT-S63 - page 56

Chapter 2: En hanced Stacking 56 Section I: Basic Op erations Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switche ...
Allied Telesis AT-S63 - page 57

AT-S63 Management Software Features Guide Section I: Basic Operat ions 57 Overview Having to manage a large numb er of network devices typically involves starting a separate management session o n each devic e. This usually means having to end one management session in order to start a new session on another unit. The enhanced stacking f eature can ...
Allied Telesis AT-S63 - page 58

Chapter 2: En hanced Stacking 58 Section I: Basic Op erations Master and Slave Switches An enhanced stack must have at least one master switch. This switch is your management access point to the switches of a stack. After you have started a local or remote management session on a ma ster switch, you can redirect the session to any o f the other swi ...
Allied Telesis AT-S63 - page 59

AT-S63 Management Software Features Guide Section I: Basic Operat ions 59 Common VLAN A master switch searches for the oth er switches in an enhanced stack by sending out a broadcast packet out a local subnet. (The designation of this subnet is explained in “Master Switch and t he Local Interface,” next.) Since a broadcast packet cannot cross a ...
Allied Telesis AT-S63 - page 60

Chapter 2: En hanced Stacking 60 Section I: Basic Op erations Master Switch and the Local Interface Before a switch can function a s the master switch of an en hanced stack, it needs to know which subnet is acti ng as the common subnet among the switches in the stack. It uses that in formation to know which subnet to send out its broadcast packets ...
Allied Telesis AT-S63 - page 61

AT-S63 Management Software Features Guide Section I: Basic Operat ions 61 Slave Switches The slave switches of an enhanced stac k must be connected to the master switch through a common VLAN. A slave switch ca n be connected indirectly to the master switch so long as the re is an uninterrupted path of the common VLAN from the slave switch to the ma ...
Allied Telesis AT-S63 - page 62

Chapter 2: En hanced Stacking 62 Section I: Basic Op erations Enhanced Stacking Compatibility This version of enhanced stacking is compatible with earlier AT-S63 versions and the enhanced stacking feature in the AT-8000 Series, AT-8400 Series, and AT-8500 Series Switches. As such, an en hanced stack can consist of various switch models, though the ...
Allied Telesis AT-S63 - page 63

AT-S63 Management Software Features Guide Section I: Basic Operat ions 63 Enhanced Stacking Guidelines Here are the guidelines to using the enhanced stacking featu re:  There can be up to 24 switches in an enhanced stack.  The switches in an enhanced sta ck must be connected with a common port-based or t agged VLAN. The VLAN must have the sam ...
Allied Telesis AT-S63 - page 64

Chapter 2: En hanced Stacking 64 Section I: Basic Op erations General Steps Here are the basic steps to imp lementing the enhanced stacking feature on the AT-9400 Switches in your network: 1. Select a switch to act as the master switch of the enhanced stack. This can be any Allied Telesis switch that supports th is feature. In a stack with differen ...
Allied Telesis AT-S63 - page 65

Section I: Basic Operations 65 Chapter 3 SNMPv1 and SNMPv2c This chapter describes SNMPv1 and SNMPv2c community strings for SNMP management of the switch. Sections in the chapter include:  “Supported Platforms” on p age 66  “Overview” on page 67  “Community S tring Attributes” on page 68  “Default SNMP Community S trings? ...
Allied Telesis AT-S63 - page 66

Chapter 3: SNMPv1 a nd SNMPv2c 66 Section I: Basic Op erations Supported Platforms This feature is supported on all AT-9400 Switch es:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches and the ...
Allied Telesis AT-S63 - page 67

AT-S63 Management Software Features Guide Section I: Basic Operat ions 67 Overview You can manage a switch by viewing and chan ging the management information base (MIB) ob jects on the device with the Simple Network Management Program (SNMP). The AT-S63 Man agement Software supports SNMPv1, SNMPv2c, and SNMPv3. This chapter explains SNMPv1 and SNM ...
Allied Telesis AT-S63 - page 68

Chapter 3: SNMPv1 a nd SNMPv2c 68 Section I: Basic Op erations Community String Attributes A community string has attributes fo r controlling who can use the string and what the string will allow a network management to do on the switch. The community string attributes are defined below: Community String Name A community string mu st have a name of ...
Allied Telesis AT-S63 - page 69

AT-S63 Management Software Features Guide Section I: Basic Operat ions 69 the community strings. Each community string can have up to eight trap IP addresses. It does not matter which community stri ngs you assign your trap receivers. When the switch sends a trap, it looks at all the community strings and sends the trap to all trap receivers on all ...
Allied Telesis AT-S63 - page 70

Chapter 3: SNMPv1 a nd SNMPv2c 70 Section I: Basic Op erations Default SNMP Community Strings The AT-S63 Management Software prov ides two defau lt community strings: public and private. The public string h as an access mode of just Read and the private string ha s an access mode of Read/Write. If you activate SNMP management on the switch, you sho ...
Allied Telesis AT-S63 - page 71

Section I: Basic Operations 71 Chapter 4 MAC Addr ess T able This chapter contains background in formation about the MAC a ddress table.This chapter contains the following section:  “Overview” on page 72 ...
Allied Telesis AT-S63 - page 72

Chapter 4: MAC Address Table 72 Section I: Basic Op erations Overview The AT-9400 Switch has a MAC address table with a st orage capacity of 16,000 entries. The table stores the MAC addresses of the network nodes connected to its ports and the p ort number where each address was learned. The switch learns the MAC addresses of the en d nodes by exam ...
Allied Telesis AT-S63 - page 73

AT-S63 Management Software Features Guide Section I: Basic Operat ions 73 MAC address table from becoming fill ed with addresses of no des that are no longer active. The period of time that the switch waits b efore purging an inactive dynamic MAC address is called the a ging time . This value is adjustable on the AT-9400 Switch. The default value i ...
Allied Telesis AT-S63 - page 74

Chapter 4: MAC Address Table 74 Section I: Basic Op erations ...
Allied Telesis AT-S63 - page 75

Section I: Basic Operations 75 Chapter 5 S tatic Port T runks This chapter describes static port trunk s. Sections in the chapter include:  “Supported Platforms” on p age 76  “Overview” on page 77  “Load Distribution Methods” on p age 78  “Guidelines” on p age 80 ...
Allied Telesis AT-S63 - page 76

Chapter 5: St atic Port Trunks 76 Section I: Basic Op erations Supported Platforms This feature is supported on all AT-9400 Switch es:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches and the ...
Allied Telesis AT-S63 - page 77

AT-S63 Management Software Features Guide Section I: Basic Operat ions 77 Overview A static port trunk is a group of two to e ight ports that function as a single virtual link between the switch and anot her device. Traff ic is distributed across the ports to improve perfo rmance an d enhance reliability by reducing the reliance on a single physica ...
Allied Telesis AT-S63 - page 78

Chapter 5: St atic Port Trunks 78 Section I: Basic Op erations Load Distribution Methods This section discusses load distributio n methods and applies to both static and LACP port trunks. One of the steps to crea ting a static or LACP port trunk is selecting a load distribution method, which determines how the switch distributes the traffic load ac ...
Allied Telesis AT-S63 - page 79

AT-S63 Management Software Features Guide Section I: Basic Operat ions 79 A similar method is used for the two load distribution methods that employ both the source and destination addresses. Only here the last three bits of both addresses are combine d by an XOR process to derive a single value which is then compared against the mappings o f the b ...
Allied Telesis AT-S63 - page 80

Chapter 5: St atic Port Trunks 80 Section I: Basic Op erations Guidelines The following guidelines appl y to static trunks:  Allied T elesis recommends limiting static port trunks to Allied T elesis network devices to ensure comp atibility .  A static trunk ca n have up to eight ports.  S tand-alone switches can support up to six static an ...
Allied Telesis AT-S63 - page 81

Section I: Basic Operations 81 Chapter 6 LACP Port T runks This chapter explains Link Aggregati on Control Protocol (LACP) port trunks. Sections in the chapter include:  “Supported Platforms” on p age 82  “Overview” on page 83  “LACP System Priority” on pag e 87  “Adminkey Parameter” on p age 88  “LACP Port Priority ...
Allied Telesis AT-S63 - page 82

Chapter 6: LACP Port Trunks 82 Section I: Basic Op erations Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches ...
Allied Telesis AT-S63 - page 83

AT-S63 Management Software Features Guide Section I: Basic Operat ions 83 Overview LACP (Link Aggregation Control Protocol) port trunks p erform the same function as static trunks. They increase the bandwidth between netwo rk devices by distributing the traffic lo ad over multiple physical links. The advantage of an LACP trunk over a static port tr ...
Allied Telesis AT-S63 - page 84

Chapter 6: LACP Port Trunks 84 Section I: Basic Op erations If there will be more than one aggregate trun k on a switch, each trunk might require a separate ag gregator or it might be possible to combine them into a common aggregator. The de termining factor will be whether the trunks are going to the same device or different devices. If the trunks ...
Allied Telesis AT-S63 - page 85

AT-S63 Management Software Features Guide Section I: Basic Operat ions 85 Here is how the example looks in a table format. Caution The example cited here illustra tes a loop in a network. Avoid network loops to prevent b roadcast storms. If the aggregate trunks go to diff erent devices, you can create one aggregator and the AT-9400 Switch will form ...
Allied Telesis AT-S63 - page 86

Chapter 6: LACP Port Trunks 86 Section I: Basic Op erations Here is how this exampl e looks in table format. You could, if you wanted , create separate aggregators for the different aggregate trunks in the example abo ve. But letting the switch make the determination for you whenever possible saves ti me later if y ou physically reassign ports to a ...
Allied Telesis AT-S63 - page 87

AT-S63 Management Software Features Guide Section I: Basic Operat ions 87 LACP System Priority It is possible for two devices interconnected by an aggregate trunk to encounter a conflict when they form the trunk. For example, the two devices might not support the same number of active ports in an aggregate trunk or might not agree on which p orts a ...
Allied Telesis AT-S63 - page 88

Chapter 6: LACP Port Trunks 88 Section I: Basic Op erations Adminkey Parameter The adminkey is a hexadecimal value from 1 to FFFF that identifies an aggregator. Each aggregator on a switch must have a uniqu e adminkey. The adminkey is restricted to a switch. Two aggregator s on different switches can have the same adminkey with out generating a con ...
Allied Telesis AT-S63 - page 89

AT-S63 Management Software Features Guide Section I: Basic Operat ions 89 Load Distribution Methods The load distribution method dete rmines the manner in which the switch distributes the traffic across the acti ve ports of an aggre gate trunk. The method is assigned to an aggreg ator and applies to all aggregate trunks within it. If you want to as ...
Allied Telesis AT-S63 - page 90

Chapter 6: LACP Port Trunks 90 Section I: Basic Op erations Guidelines The following guidelines apply to creating aggregators:  LACP must be activated on both the switch and the othe r device.  The other device must be 802.3ad-co mpliant.  An aggregator can consist of any number of port s.  The A T-S63 Management Software supports up to ...
Allied Telesis AT-S63 - page 91

AT-S63 Management Software Features Guide Section I: Basic Operat ions 91  When creating a new aggregator , you can specify either a name for the aggregator or an adminkey , but not both. If yo u specify a name, the adminkey is based on the operator key of the lowest numbered port in the aggregator . If you specify an adminkey , the default name ...
Allied Telesis AT-S63 - page 92

Chapter 6: LACP Port Trunks 92 Section I: Basic Op erations ...
Allied Telesis AT-S63 - page 93

Section I: Basic Operations 93 Chapter 7 Port Mirr or This chapter explains the port mirror f eature. Sections in the chapter include:  “Supported Platforms” on p age 94  “Overview” on page 95  “Guidelines” on p age 95 ...
Allied Telesis AT-S63 - page 94

Chapter 7: Po rt Mirror 94 Section I: Basic Op erations Supported Platforms This feature is supported on all AT-9400 Switch es:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches and the A T-S ...
Allied Telesis AT-S63 - page 95

AT-S63 Management Software Features Guide Section I: Basic Operat ions 95 Overview The port mirror feature allows for th e unobtrusive monitoring of ingress or egress traffic on one or more ports on a switch, without impacting network performance or speed. It copies th e tr affic from specified ports to another switch port where the traffic can b e ...
Allied Telesis AT-S63 - page 96

Chapter 7: Po rt Mirror 96 Section I: Basic Op erations ...
Allied Telesis AT-S63 - page 97

Section II: Advanced Operations 97 Section II Advanced Operations This section contains t he following chapters:  Chapter 8, ”File System” on pag e 99  Chapter 9, ”Event Logs and the Syslog Client” on p age 105  Chapter 10, ”Classifiers” on p age 109  Chapter 1 1, ”Access Control Lists” on page 1 19  Chapter 12, “Cl ...
Allied Telesis AT-S63 - page 98

98 Section II: Advanced Operati ons ...
Allied Telesis AT-S63 - page 99

Section II: Advanced Operations 99 Chapter 8 File System The chapter explains the switch’s file system and contains the following sections:  “Overview” on page 100  “Boot Configuration Files” on pa ge 101  “File Naming Conventions” on p age 102  “Using Wildcards to S pecify Group s of Files” on page 1 03 ...
Allied Telesis AT-S63 - page 100

Chapter 8: File System 100 Section II: Advanced Operations Overview The AT-9400 Switch has a file system in flash memory for storing system files. You can view a list of the files a s well as copy, rename, and delete files. For those AT-9400 Switches tha t support a compact flash memory card, you can perform the same functions on t he files stored ...
Allied Telesis AT-S63 - page 101

AT-S63 Management Software Features Guide Section II: Advance d Operations 101 Boot Configuration Files A boot configuration file contain s the series of commands that recreate the current or a specific configuration o f the switch when the unit is power cycled or reset. The commands in the file recreate all the VLANs, port settings, spanning tree ...
Allied Telesis AT-S63 - page 102

Chapter 8: File System 102 Section II: Advanced Operations File Naming Conventions The flash memory file system is a fla t file system—directories are not supported. However, directories are supported on compact flash cards. In both types of storage, files are uniquely identified by a file na me in the following format: filename. ext where:  f ...
Allied Telesis AT-S63 - page 103

AT-S63 Management Software Features Guide Section II: Advance d Operations 103 Using Wildcards to Speci fy Groups of Files You can use the asterisk character (*) as a wildcard chara c ter in some fields to identify groups of files. In addition , a wildcard can be combined with other characters. The following are exa mples of valid wildcard expressi ...
Allied Telesis AT-S63 - page 104

Chapter 8: File System 104 Section II: Advanced Operations ...
Allied Telesis AT-S63 - page 105

Section II: Advanced Operations 105 Chapter 9 Event Logs and the Syslog Client This chapter describes how to mo nitor t he activity of a switch by viewing the event messages in the event logs and sending the messages to a syslog server. Sections in the chapter include:  “Supported Platforms” on p age 106  “Overview” on page 107  ? ...
Allied Telesis AT-S63 - page 106

Chapter 9: Event Logs and the Sy slog Client 106 Section II: Advanced Operations Supported Platforms This feature is supported on all AT-9400 Switch es:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer ...
Allied Telesis AT-S63 - page 107

AT-S63 Management Software Features Guide Section II: Advance d Operations 107 Overview A managed switch is a complex piece of computer equipment that includes both hardware and software. Multiple software feat ures operate simultaneously, interoperating with e ach other and processing large amounts of network traffic. It is often difficu lt to det ...
Allied Telesis AT-S63 - page 108

Chapter 9: Event Logs and the Sy slog Client 108 Section II: Advanced Operations Syslog Client The management software features a syslog client for sending event messages to a syslog server on your network. A syslog server can function as a central repository fo r events from many different net work devices. In order for the switch to send eve nts ...
Allied Telesis AT-S63 - page 109

Section II: Advanced Operations 109 Chapter 10 Classifiers This chapter explains classifiers for access control lists and Quality of Service policies. The sections in this chapter include :  “Supported Platforms” on p age 1 10  “Overview” on page 1 1 1  “Classifier Criteria” on page 1 13  “Guidelines” on p age 1 18 ...
Allied Telesis AT-S63 - page 110

Chapter 10: Cl assifiers 110 Section II: Advanced Operations Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches ...
Allied Telesis AT-S63 - page 111

AT-S63 Management Software Features Guide Section II: Advance d Operations 111 Overview A classifier defines a traffic flow . A traffic flow consists of packets that share one or more characteristics. A traffic flow can range from being very broad to very specific. An example of the former might b e all IP traffic while an example of the latter cou ...
Allied Telesis AT-S63 - page 112

Chapter 10: Cl assifiers 112 Section II: Advanced Operations is dictated by the QoS p olicy, as explained in Chapter 13, “Quality of Service” on page 139. In summary, a class ifier is a list of variables that define a traffic flow. You apply a classifier to an ACL or a QoS policy t o define the traffic flow you want the ACL or Qo S policy to af ...
Allied Telesis AT-S63 - page 113

AT-S63 Management Software Features Guide Section II: Advance d Operations 113 Classifier Criteria The components of a classifier are defin ed in the following subsections. Destination MAC Address (Layer 2) Source MAC Address (Layer 2) You can identify a traffic flow by s pecifying a source and/or destin ation MAC address. For instance, you might c ...
Allied Telesis AT-S63 - page 114

Chapter 10: Cl assifiers 114 Section II: Advanced Operations Figure 4. User Priority and VLAN Fields within an Etherne t Frame You can identify a traf fic flow of tagged packets using the user priority value. A classifier for such a traffic flow would instruct a port to watch for tagged packets containing the specif ied user priority level. The pri ...
Allied Telesis AT-S63 - page 115

AT-S63 Management Software Features Guide Section II: Advance d Operations 115 Observe the following guidelines when using this variable:  When selecting a Layer 3 or Layer 4 variable, this variable must be lef t blank or set to IP .  If you choose to specify a protocol by its number , you can enter the value in decimal or hexadecimal format. ...
Allied Telesis AT-S63 - page 116

Chapter 10: Cl assifiers 116 Section II: Advanced Operations Observe these guidelines when using this criterion:  The Protocol variable must be lef t blank or set to IP .  Y ou cannot specify both an IP T oS value and an IP DSCP value in the same classifier . IP Protocol (Layer 3) You can define a traffic flow by the following Layer 3 protoco ...
Allied Telesis AT-S63 - page 117

AT-S63 Management Software Features Guide Section II: Advance d Operations 117 Observe this guideline wh en using these criteria:  The Protocol variable must be lef t blank or set to IP . TCP Source Ports (Layer 4) TCP Destination Ports (Layer 4) A traffic flow can be identified by a source and/or destin ation TCP port number contained within th ...
Allied Telesis AT-S63 - page 118

Chapter 10: Cl assifiers 118 Section II: Advanced Operations Guidelines Follow these guidelines wh en creating a classifier:  Each classifier represent s a separate traffic flow .  The variables within a classifier ar e linked by AND. The more variables defined within a classifier , the more specific it becomes in terms of the flow it defines ...
Allied Telesis AT-S63 - page 119

Section II: Advanced Operations 119 Chapter 11 Access Contr ol Lists This chapter describes access cont rol lists (ACL) and how they can improve network security and performan ce. This chapter contains the following sections:  “Supported Platforms” on p age 120  “Overview” on page 121  “Parts of an ACL” on page 123  “Guide ...
Allied Telesis AT-S63 - page 120

Chapter 11: Access Control Lists 120 Section II: Advanced Operations Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Switches – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Switches – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Laye ...
Allied Telesis AT-S63 - page 121

AT-S63 Management Software Features Guide Section II: Advance d Operations 121 Overview An access control list is a filte r that controls the ingress traffic on a port. It defines a category of traffic and the action of the p o rt when it receives packets of the category. The action c an be to accept the defined packets or discard them. You can use ...
Allied Telesis AT-S63 - page 122

Chapter 11: Access Control Lists 122 Section II: Advanced Operations 4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is accepted by the port. ...
Allied Telesis AT-S63 - page 123

AT-S63 Management Software Features Guide Section II: Advance d Operations 123 Parts of an ACL An ACL must have the following informat ion:  Name - An ACL must have a name. The name of an ACL should indicate the type of traf fic flow being filtered and, perhap s, also the action. An example might be “HTTPS flow - permit.” The more specific t ...
Allied Telesis AT-S63 - page 124

Chapter 11: Access Control Lists 124 Section II: Advanced Operations Guidelines Here are the rules to creating ACLs:  A port can have multiple permit and deny ACLs.  An ACL must have at least one classifier .  An ACL can be assigned to more than one switch port.  An ACL filters ingress traf fic, but not egress traff ic.  The action o ...
Allied Telesis AT-S63 - page 125

AT-S63 Management Software Features Guide Section II: Advance d Operations 125 Examples This section contains seve ral examples of ACLs. In this example, port 4 has been assigne d one ACL, a deny ACL for the subnet 149.11.11.0. This ACL preve nts the port from accepting any traffic originating from that subnet. Since th is is the only ACL on the po ...
Allied Telesis AT-S63 - page 126

Chapter 11: Access Control Lists 126 Section II: Advanced Operations To deny traffic from several subne ts on the same port, you can create multiple classifiers and apply them to the same ACL , as illustrated in the next example. Three subnets a re denied access to port 4. The three classifiers defining the subne ts are applied to the same ACL. Fig ...
Allied Telesis AT-S63 - page 127

AT-S63 Management Software Features Guide Section II: Advance d Operations 127 The same result can be achieved by assigning t he classifiers to different ACLs and assigning the ACLs to the sa me port, as in this example, a gain for port 4. Figure 8. ACL Example 3 Create Access Control Lists (A CL) 1 - A CL ID ................. 22 2 - Description .. ...
Allied Telesis AT-S63 - page 128

Chapter 11: Access Control Lists 128 Section II: Advanced Operations In this example, the traffic on ports 14 a nd 15 is restricted to packets from the source subnet 149.44.44.0. All other IP traffic is denied. Classifier ID 11, which specifies the traffic flow to be permitted by the ports, is assigned to an ACL with an action of permit. Classifier ...
Allied Telesis AT-S63 - page 129

AT-S63 Management Software Features Guide Section II: Advance d Operations 129 The next example limits the ingress tr affic on p ort 17 to IP packets from the subnet 149.22.11.0 an d a Type of Service setting of 6, destined to the end node with the IP address 149.22.22.22. All other IP traffic and ARP packets are prohibited. Figure 11. ACL Example ...
Allied Telesis AT-S63 - page 130

Chapter 11: Access Control Lists 130 Section II: Advanced Operations ...
Allied Telesis AT-S63 - page 131

Section II: Advanced Operations 131 Chapter 12 Class of Service This chapter describes the Class of Se rv ice (CoS) feature. Sections in the chapter include:  “Supported Platforms” on p age 132  “Overview” on page 133  “Scheduling” on p age 136 ...
Allied Telesis AT-S63 - page 132

Chapter 12: Class of Service 132 Section II: Advanced Operations Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Swit ...
Allied Telesis AT-S63 - page 133

AT-S63 Management Software Features Guide Section II: Advance d Operations 133 Overview When a port on an Ethernet switch becomes oversubscribe d —its egress queues contain more packets than the port can handle in a timely manner—the port may be forced to delay the transmission of some packets, resulting in the dela y of packets reaching their ...
Allied Telesis AT-S63 - page 134

Chapter 12: Class of Service 134 Section II: Advanced Operations For example, when a tagged packe t with a priority level of 3 enters a por t on the switch, the packet is stored in Q3 queue on the egre ss port. Note that priority 0 is mapp ed to CoS queue 1 instead of CoS queue 0 because tagged traffic that has neve r been prioritized has a VLAN ta ...
Allied Telesis AT-S63 - page 135

AT-S63 Management Software Features Guide Section II: Advance d Operations 135 Note that because all ports must use the same priority-to-eg ress queue mappings, these mappings are app lied at the switch level. They cannot be set on a per-port basis. You can configure a port to completely ignor e the priority levels in its tagged packets and instead ...
Allied Telesis AT-S63 - page 136

Chapter 12: Class of Service 136 Section II: Advanced Operations Scheduling A switch port needs a mecha nism for knowing the order in which it should handle the packets in its eight egress queues. For example, if all the queues contain packets, should the port transmit all packets from Q7, the highest priority queue, be fore moving on to the other ...
Allied Telesis AT-S63 - page 137

AT-S63 Management Software Features Guide Section II: Advance d Operations 137 Table 12 shows an example. In this example, the port transmits a maximum n umber of 15 packets from Q7 before moving to Q6, from where it transmits up to 10 packets, and so forth. For Q0 to Q6, the range o f the maximum number of transmitted packets is 1 to 15. The range ...
Allied Telesis AT-S63 - page 138

Chapter 12: Class of Service 138 Section II: Advanced Operations Q6 15 Q7 0 T able 13. Example of a Weig ht of Zero for Priority Queue 7 (Continu ed) Port Egress Queue Maximum Number of Packet s ...
Allied Telesis AT-S63 - page 139

Section II: Advanced Operations 139 Chapter 13 Quality of Service This chapter describes Quality of Serv ice ( QoS). Sections in the chapter include:  “Supported Platforms” on p age 140  “Overview” on page 141  “Classifiers” on page 143  “Flow Groups” on p age 144  “T raffic Classes” on p age 145  “Policies? ...
Allied Telesis AT-S63 - page 140

Chapter 13: Quali ty of Service 140 Section II: Advanced Operations Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 S ...
Allied Telesis AT-S63 - page 141

AT-S63 Management Software Features Guide Section II: Advance d Operations 141 Overview Quality of Service allows you to prioritize traffic and/o r limit the bandwidth available to it. The concept of QoS is a departure from the original networking protocols, which tre ated all traffic on the Internet or within a LAN in the same manner. Without QoS, ...
Allied Telesis AT-S63 - page 142

Chapter 13: Quali ty of Service 142 Section II: Advanced Operations The QoS functionality described in this chapter sorts packets in to various flows, according to the QoS policy that applies to the port the traffic is received on. The switch then allocates resources to direct this traffic according to bandwidth or priority settings in the policy. ...
Allied Telesis AT-S63 - page 143

AT-S63 Management Software Features Guide Section II: Advance d Operations 143 Classifiers Classifiers identify a particular traffic flow, and rang e from general to specific. (See Chapter 10, “Classifiers” on page 109 for more information.) Note that a single classifier should not be used in different flows that will end up, through traffic cl ...
Allied Telesis AT-S63 - page 144

Chapter 13: Quali ty of Service 144 Section II: Advanced Operations Flow Groups Flow groups group similar traffic flows together, a nd allow more specific QoS controls to be used, in preference to those specified by the traffic class. Flow groups consist of a sma ll set of QoS parameters and a group of classifiers. After a flow group has been added ...
Allied Telesis AT-S63 - page 145

AT-S63 Management Software Features Guide Section II: Advance d Operations 145 Traffic Classes Traffic classes are the central component of the QoS solution. They provide most of the QoS controls that allow a QoS solution to be deployed. A traffic class can be a ssigned to only one policy. Traffic classes consist of a set of QoS parameters and a g ...
Allied Telesis AT-S63 - page 146

Chapter 13: Quali ty of Service 146 Section II: Advanced Operations Policies QoS policies consist of a collection of user defined traffic classes. A policy can be assigned to more than o ne port, but a port may only have one policy. Note that the switch can only perfor m error checking of parameters and parameter values for the policy and its traff ...
Allied Telesis AT-S63 - page 147

AT-S63 Management Software Features Guide Section II: Advance d Operations 147 QoS Policy Guidelines Following is a list of QoS policy guidelines:  A classifier may be assigned to many flow groups. However , assigning a classifier more than once within the same policy may lead t o undesirable result s. A classifier may be used successfully in ma ...
Allied Telesis AT-S63 - page 148

Chapter 13: Quali ty of Service 148 Section II: Advanced Operations Packet Processing You can use the switch’s QoS to ols to perform any combination of the following functions on a packet flow:  Limiting bandwid th  Prioritizing p ackets to determine the level of prece dence the switch will give to the packet for p rocessing  Replacing t ...
Allied Telesis AT-S63 - page 149

AT-S63 Management Software Features Guide Section II: Advance d Operations 149 Both the VLAN tag User Priority and th e traffic class / flow group priority setting allow eight different priorit y values (0-7). These eight priorities are mapped to the switch’s eight CoS queue s. The switch’s default mapping is shown in Table 10 on page 134. Note ...
Allied Telesis AT-S63 - page 150

Chapter 13: Quali ty of Service 150 Section II: Advanced Operations Replacing Priorities The traffic class or flow group priority (if set) determines the egress que ue a packet is sent to when it egresse s the switch, but by d efault has no effect on how the rest of the network processes the pa cket. To permanently change the packet’s priority, y ...
Allied Telesis AT-S63 - page 151

AT-S63 Management Software Features Guide Section II: Advance d Operations 151 DiffServ Domains Differentiated Services (DiffServ) is a metho d of dividing IP traffic into classes of service, without requiring that every router in a network remember detailed information abo ut traf fic flows. DiffServ operates within a DiffServ domain , a network o ...
Allied Telesis AT-S63 - page 152

Chapter 13: Quali ty of Service 152 Section II: Advanced Operations To use the QoS tool set to configure a DiffServ doma in: 1. As packets come into the domai n at edge swit ches, replace their DSCP value, if required.  Classify the packets according to the required characteristics. Fo r available options, see Chapter 10, “Cla ssifiers” on p ...
Allied Telesis AT-S63 - page 153

AT-S63 Management Software Features Guide Section II: Advance d Operations 153 Examples The following examples demonstrate how to implement QoS in three situations:  “V oice Applications,” n ext  “Video Applicatio ns” on page 155  “Critical Database” on p age 157 Voice Applications Voice applications typically require a small b ...
Allied Telesis AT-S63 - page 154

Chapter 13: Quali ty of Service 154 Section II: Advanced Operations Figure 13. QoS Voice Application Example The parts of the policies are:  Classifier - Defines the traf fic flow by specifying the IP address of the node with the voice application. The cl assifier for Policy 6 specifies the address as a source address because this classifie r is ...
Allied Telesis AT-S63 - page 155

AT-S63 Management Software Features Guide Section II: Advance d Operations 155  T raffic Class - No action is taken by the traffic class, other tha n to specify the flow group. T raffic class has a priority setting you can use to override the priority level of p ackets, just as in a flow group. If you enter a priority value in both places, the s ...
Allied Telesis AT-S63 - page 156

Chapter 13: Quali ty of Service 156 Section II: Advanced Operations Figure 14. QoS Video Application Example The parts of the policies are:  Classifier - S pecifies the IP address of the n ode with a video application. The classifier for Polic y 17 spe cifies the address as a source address since this classifi er is pa rt of a policy concerning ...
Allied Telesis AT-S63 - page 157

AT-S63 Management Software Features Guide Section II: Advance d Operations 157 packet s so they leave containing the new leve l, you would change option 5, Remark Priority , to Y es.  T raffic Class - Th e packet stream is assigned a maximum bandwidth of 5 Mbps. Bandwid th assignment can onl y be made at the traf fic class level.  Policy - S ...
Allied Telesis AT-S63 - page 158

Chapter 13: Quali ty of Service 158 Section II: Advanced Operations Policy Component Hierarchy The purpose of this example is to illustrate the hierarchy of the components of a QoS policy and how that hierarchy needs to be taken into account when assigning new priority a nd DSCP values. A new priority can be set at the flow group and traffic class ...
Allied Telesis AT-S63 - page 159

AT-S63 Management Software Features Guide Section II: Advance d Operations 159 Figure 16. Policy Component Hierarchy Example Create Classifier 01 - Classifier ID: ..... 1 . 14 - Dst IP Addr ..... 149.11.11.0 15 - Dst IP Mask ..... 255.255.255.0 Create Flow Group 1 - Flow Group ID ......... 1 . 3 - DSCP V alue ............. 10 . 9 - Classifier List ...
Allied Telesis AT-S63 - page 160

Chapter 13: Quali ty of Service 160 Section II: Advanced Operations ...
Allied Telesis AT-S63 - page 161

Section II: Advanced Operations 161 Chapter 14 Denial of Service Defenses This chapter explains the defen se mechanisms in the management software that can protect your netwo rk against denial of service (DoS) attacks. Sections in the chapter include :  “Supported Platforms” on p age 162  “Overview” on page 163  “SYN Flood Attack ...
Allied Telesis AT-S63 - page 162

Chapter 14: Denia l of Service Defens es 162 Section II: Advanced Operations Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic ...
Allied Telesis AT-S63 - page 163

AT-S63 Management Software Features Guide Section II: Advance d Operations 163 Overview The AT-S63 Management Software can help protect your netwo rk against the following types of denial of service attacks.  SYN Flood Attack  Smurf Attack  Land Attack  T eardrop Attack  Ping of Death Atta ck  IP Options Attack The following secti ...
Allied Telesis AT-S63 - page 164

Chapter 14: Denia l of Service Defens es 164 Section II: Advanced Operations SYN Flood Attack In this type of attack, an attacker sends a large number of TCP connection requests (TCP SYN packets) with bogus source a ddresses to the victim. The victim responds with acknow ledgements (SYN ACK packet s), but because the original source addresses are b ...
Allied Telesis AT-S63 - page 165

AT-S63 Management Software Features Guide Section II: Advance d Operations 165 Smurf Attack This DoS attack is instigated by an at tacker se nding a ICMP Echo (Ping) request that has the network’s I P broadcast address as the dest ination address and the address of the victim as the source of th e ICMP Echo (Ping) request. This overwhe l ms the v ...
Allied Telesis AT-S63 - page 166

Chapter 14: Denia l of Service Defens es 166 Section II: Advanced Operations Land Attack In this attack, an attacker sends a bogus IP pa cket where the source and destination IP addresses are the same. This leaves th e victim thinking that it is sending a message to itself. The most direct approach for defendin g against this form of attack is for ...
Allied Telesis AT-S63 - page 167

AT-S63 Management Software Features Guide Section II: Advance d Operations 167 2. If the source IP address is no t local to the network, it discards the packet because it assumes that a packe t with an IP address that is not local to the network should not be a ppearing on a port that is not an uplink port. This protects against the possib ility of ...
Allied Telesis AT-S63 - page 168

Chapter 14: Denia l of Service Defens es 168 Section II: Advanced Operations Teardrop Attack An attacker sends an IP packet in se veral fragments with a bogus offset value, used to reconstruct the packet, in one of the fragments to a victim. Because of the bogus o ffset value, th e victim is unable to reassemble the packet, possibly causing it to f ...
Allied Telesis AT-S63 - page 169

AT-S63 Management Software Features Guide Section II: Advance d Operations 169 Ping of Death Attack The attacker sends an oversized, fragmented ICMP Echo (Pin g) request (greater than 65,535 bits) to the victim, which, if lacking a policy for handling oversized packets, may freeze. To defend against this form o f attack, a switch port searches for ...
Allied Telesis AT-S63 - page 170

Chapter 14: Denia l of Service Defens es 170 Section II: Advanced Operations IP Options Attack In the basic scenario of an IP attack, an attacker sends packets containing bad IP options. There are several types of IP option attacks and the AT-S63 Management Sof tware does not distingu ish between them. Rather, the defense mechanism counts the numbe ...
Allied Telesis AT-S63 - page 171

AT-S63 Management Software Features Guide Section II: Advance d Operations 171 Mirroring Traffic The Land, Teardrop, Ping of Death, and IP Options defense mechanisms allow you to copy the examined traffi c to a mirror port for furthe r analysis with a data sniffer or analyzer. This featu re differs slightly from port mirroring in that prior to an a ...
Allied Telesis AT-S63 - page 172

Chapter 14: Denia l of Service Defens es 172 Section II: Advanced Operations Denial of Service Defense Guidelines Below are guidelines to observe when using this feature:  A switch port can support more than one DoS defense at a time.  The T eardrop and the Ping of Death defenses are CPU intensive. Use these defenses with caution. ...
Allied Telesis AT-S63 - page 173

Section III: Snooping Protocols 173 Section III Snooping Pr otocols The chapters in this section contai n overview informat ion on the snooping protocols. The chapters include:  Chapter 15, ”IGMP Sn ooping” on pag e 175  Chapter 16, “MLD Snooping” on p age 179  Chapter 17, ”RRP Snooping” on p age 183  Chapter 18, “Ethernet ...
Allied Telesis AT-S63 - page 174

174 Section III: Snooping Protocols ...
Allied Telesis AT-S63 - page 175

Section III: Snooping Protocols 175 Chapter 15 IGMP Snooping This chapter explains Internet Group Management Protocol (IGMP) snooping feature in the following sections:  “Supported Platforms” on p age 176  “Overview” on page 177 ...
Allied Telesis AT-S63 - page 176

Chapter 15: IGMP Snoopin g 176 Section III: Snooping Protocols Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switch ...
Allied Telesis AT-S63 - page 177

AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 177 Overview IPv4 routers use IGMP to create lists of nodes tha t are members of multicast groups. (A multicast group is a group of end node s that want to receive multicast packets from a mult icast application.) The router crea tes a multicast membership list by periodica ...
Allied Telesis AT-S63 - page 178

Chapter 15: IGMP Snoopin g 178 Section III: Snooping Protocols Without IGMP snooping a switch would have to flood multicast packets ou t all of its ports, except the port on which it received the packet. Such flooding of packets can negative ly impact network performance. The AT-9400 Switch maintains its list of multicast groups through a n adjusta ...
Allied Telesis AT-S63 - page 179

Section III: Snooping Protocols 179 Chapter 16 MLD Snooping This chapter explains Multicast Li stener Discover y (MLD) snooping:  “Supported Platforms” on p age 180  “Overview” on page 181 ...
Allied Telesis AT-S63 - page 180

Chapter 16: MLD Snoopi ng 180 Section III: Snooping Protocols Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switche ...
Allied Telesis AT-S63 - page 181

AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 181 Overview MLD snooping performs the same fun ction as IGMP snooping. The switch uses the feature to build multicast membership lists. It uses the lists to forward multicast packets only to switch ports where there are host nodes that are members of the multicast groups. T ...
Allied Telesis AT-S63 - page 182

Chapter 16: MLD Snoopi ng 182 Section III: Snooping Protocols ...
Allied Telesis AT-S63 - page 183

Section III: Snooping Protocols 183 Chapter 17 RRP Snooping This chapter explains RRP snooping and contains the following sections:  “Supported Platforms” on p age 184  “Overview” on page 185  “Guidelines” on p age 186 ...
Allied Telesis AT-S63 - page 184

Chapter 17: RRP Snoopi ng 184 Section III: Snooping Protocols Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switche ...
Allied Telesis AT-S63 - page 185

AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 185 Overview The Router Redundancy Protocol (RRP) a llows multiple routers to share the same virtual IP address and MAC address. In network topologies where redundant router paths or links e xist, the protocol enables routers, through an election process, to desig nate one a ...
Allied Telesis AT-S63 - page 186

Chapter 17: RRP Snoopi ng 186 Section III: Snooping Protocols Guidelines The following guidelines apply to the RRP snooping feature:  The default setting for this feature is disable d.  Activating the feature flushes all dynamic MAC addresses from the MAC address table.  RRP snooping is supported on ports oper ating in the MAC address- bas ...
Allied Telesis AT-S63 - page 187

Section III: Snooping Protocols 187 Chapter 18 Ethernet Pr otection Switching Ring Snooping This chapter has the following sections:  “Supported Platforms” on p age 188  “Overview” on page 189  “Restrictions” on page 191  “Guidelines” on p age 193 ...
Allied Telesis AT-S63 - page 188

Chapter 18: Ethern et Protection Swit ching Ring Snoopin g 188 Section III: Snooping Protocols Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models Not supported.  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches ...
Allied Telesis AT-S63 - page 189

AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 189 Overview Ethernet Protection Switching Ring is a feature fou nd on selected Allied Telesis products, such as the AT-8948 Series Giga bit Layer 3 Switches. It offers an effective alternative to span ning tree based options when using ring based topologies to create high s ...
Allied Telesis AT-S63 - page 190

Chapter 18: Ethern et Protection Swit ching Ring Snoopin g 190 Section III: Snooping Protocols After creating the VLANs, you activa te EPSR snooping by specifyin g the control VLAN with the ENABLE EPSRSNOOPING command. The switch immediately begins to monitor the VLAN for control me ssages from the master switch and reacts accordingl y should it re ...
Allied Telesis AT-S63 - page 191

AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 191 Restrictions EPSR snooping has three important restrictions. All the restrictions are related to control EPSR messages and the fact that EPSR snooping can not generate these messages. The AT-9400 Switch cannot fulfill the role o f master node of a ring beca use EPSR snoo ...
Allied Telesis AT-S63 - page 192

Chapter 18: Ethern et Protection Swit ching Ring Snoopin g 192 Section III: Snooping Protocols Figure 17. Double Fault C ondition in EPSR Snooping Now assume the lin k is reestablished between the switch and transit node. At that point, the port on the transit node enters a preforwarding state in which it forwards EPSR packets over the control VLAN ...
Allied Telesis AT-S63 - page 193

AT-S63 Management Software Features Guide Section III: Snoopin g Protocols 193 Guidelines The guidelines to EPSR snooping are:  The A T-9400 Switch can support up to sixteen control VLANs and so up to sixteen EPSR instances.  The A T-9400 Switch can not be the master node of a ring.  EPSR snooping does not support t he transit node unso li ...
Allied Telesis AT-S63 - page 194

Chapter 18: Ethern et Protection Swit ching Ring Snoopin g 194 Section III: Snooping Protocols ...
Allied Telesis AT-S63 - page 195

Section IV: SNMPv3 195 Section IV SNMPv3 The chapter in this section con tains overview information on SNMPv3. The chapter is:  Chapter 19, ”SNMPv3” on pa ge 197 ...
Allied Telesis AT-S63 - page 196

196 Section IV: SNMPv3 ...
Allied Telesis AT-S63 - page 197

Section IV: SNMPv3 197 Chapter 19 SNMPv3 This chapter provides a description of the AT-S63 implemen tation of the SNMPv3 protocol. The following sections are provided:  “Supported Platforms” on p age 198  “Overview” on page 199  “SNMPv3 Authentication Protoco ls” on page 200  “SNMPv3 Privacy Protocol” on pa ge 201  ? ...
Allied Telesis AT-S63 - page 198

Chapter 19: SNMP v3 198 Section IV: SNMPv3 Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches and the A T-S tac ...
Allied Telesis AT-S63 - page 199

AT-S63 Management Software Features Guide Section IV: SNMPv3 199 Overview The SNMPv3 protocol builds on the exist ing SNMPv1 and SNMPv2c protocol implementation which is de scribed in Cha pter 3, “SNMPv1 and SNMPv2c” on page 65. In SNMPv3, User-based Security Model (USM) authentication is implemented along with encryption, allowing yo u to conf ...
Allied Telesis AT-S63 - page 200

Chapter 19: SNMP v3 200 Section IV: SNMPv3 SNMPv3 Authentication Protocols The SNMPv3 protocol supports two authe ntication protocols—HMAC- MD5-96 (MD5) and HMAC-SHA-96 (SHA). Bo th MD5 and SHA use an algorithm to generate a message digest. Each authentication protocol authenticates a user by checking the message digest. In addition, both protoco ...
Allied Telesis AT-S63 - page 201

AT-S63 Management Software Features Guide Section IV: SNMPv3 201 SNMPv3 Privacy Protocol After you have configured an authentic ation protocol, you have the option of assigning a privacy protocol if yo u have the encrypted version of the AT-S63 software. In SNMPv3 protocol te rminology, privacy is equivalent to encryption. Currently, the DES pro to ...
Allied Telesis AT-S63 - page 202

Chapter 19: SNMP v3 202 Section IV: SNMPv3 SNMPv3 MIB Views The SNMPv3 protocol allows you to configure MIB views for users and groups. The MIB tree is defined by RFC 1155 (Structure of Management Information). See Figure 18. Figure 18. MIB Tree The AT-S63 software supports the MIB tree, startin g with the Internet MIBs, as defined by 1.3.6.1. Ther ...
Allied Telesis AT-S63 - page 203

AT-S63 Management Software Features Guide Section IV: SNMPv3 203 After you specify a MIB subtree view you have the option of further restricting a view by defining a subtree ma sk. The relationship between a MIB subtree view and a subtree mask is analogous to th e relationship between an IP address a nd a subnet mask. The switch uses the subnet mas ...
Allied Telesis AT-S63 - page 204

Chapter 19: SNMP v3 204 Section IV: SNMPv3 SNMPv3 Storage Types Each SNMPv3 table entry has its own storag e type. You can choose between nonvolatile storage which allows you to save the table entry or volatile storage which does not allow you to save an e ntry. If you select the volatile storage type, when you power off the switch your SNMPv3 conf ...
Allied Telesis AT-S63 - page 205

AT-S63 Management Software Features Guide Section IV: SNMPv3 205 SNMPv3 Message Notification When you generate an SNMPv3 message from the switch, there are three basic pieces of information included in the message:  The type of message  The destination of the message  SNMP security information To configure the type of message, yo u need to ...
Allied Telesis AT-S63 - page 206

Chapter 19: SNMP v3 206 Section IV: SNMPv3 SNMPv3 Tables The SNMPv3 configuration is neatly divided into configuring SNMPv3 user information and configuring the messag e notificatio n. You must configure all seven tables to successfully configure the SNMPv3 protocol. You use the following tables for user configuration:  Configure SNMPv3 User T a ...
Allied Telesis AT-S63 - page 207

AT-S63 Management Software Features Guide Section IV: SNMPv3 207  Configure SNMPv3 Notify T able  Configure SNMPv3 T arget Address T able  Configure SNMPv3 T arget Parameters T able You start the message notification configu ration by defining the type of message you want to send with the SNMPv3 Notify Table. Then yo u define a IP address ...
Allied Telesis AT-S63 - page 208

Chapter 19: SNMP v3 208 Section IV: SNMPv3  “SNMPv3 T arget Parameters T able” on page 209  “SNMPv3 Community T able” on page 209 SNMPv3 User Table The Configure SNMPv3 User Table menu allows you to crea te an SNMPv3 user and provides the options o f configuring authentication and privacy protocols. With the SNMPv3 protocol, users are ...
Allied Telesis AT-S63 - page 209

AT-S63 Management Software Features Guide Section IV: SNMPv3 209 SNMPv3 Notify Table The Configure SNMPv3 Notify Table menu allows you to define the type of message that is sent from the switch to the SNMP host. In addition, you have the option of def ining the message type as either an Inform o r a Trap message. The difference between these two ty ...
Allied Telesis AT-S63 - page 210

Chapter 19: SNMP v3 210 Section IV: SNMPv3 SNMPv3 Configuration Example You may want to have two classes of SNMPv3 users—Managers and Operators. In this scenario, you would configure on e group, called Managers, with full access privileges. Then you would configure a second group, called Operators, with monitoring privilege s only. For a detailed ...
Allied Telesis AT-S63 - page 211

Section V: Spanning Tree Protocols 211 Section V Spanning T r ee Pr otocols The section has the following chapters:  Chapter 20, “S p anning T ree and Rapid S panning T ree Protocols” on page 213  Chapter 21, “Multiple S p anning T ree Protocol” on p age 225 ...
Allied Telesis AT-S63 - page 212

212 Section V: Spanning Tree Pro tocols ...
Allied Telesis AT-S63 - page 213

Section V: Spanning Tree Protocols 213 Chapter 20 Spanning T r ee and Rapid Spanning T r ee Pr otocols This chapter provides background information on the Spanning Tree Protocol (STP) and Rapid Spanning Tree Protocol (RSTP). Th e sections in this chapter include:  “Supported Platforms” on p age 214  “Overview” on page 215  “Bridg ...
Allied Telesis AT-S63 - page 214

Chapter 20: Spannin g Tree and Rapid Span ning Tree Protocols 214 Section V: Spanning Tree Pro tocols Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448T ...
Allied Telesis AT-S63 - page 215

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 215 Overview The performance of a Ethernet network can be neg atively impacted by the formation of a data loop in the netwo rk topology. A data loop exists when two or more nodes on a network can transmit data to each other over more than one data path. The problem that da ...
Allied Telesis AT-S63 - page 216

Chapter 20: Spannin g Tree and Rapid Span ning Tree Protocols 216 Section V: Spanning Tree Pro tocols Bridge Priority and the Root Bridge The first task that bridges perform when a sp anning tree protocol is activated on a network is the selection of a ro ot bridge . A root bridge distributes network topology information to the other network bridge ...
Allied Telesis AT-S63 - page 217

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 217 Path Costs and Port Costs After the root bridge has been selecte d, the bridges determine if the network contains redundant path s and, if one is found, select a pref erred path while placing the redunda nt paths in a backup or blocking state . Where there is only one ...
Allied Telesis AT-S63 - page 218

Chapter 20: Spannin g Tree and Rapid Span ning Tree Protocols 218 Section V: Spanning Tree Pro tocols Table 16 lists the STP port costs with Au to-Detect when a port is part of a port trunk. Table 17 lists the RSTP port costs with Auto-Det ect. Table 18 lists the RSTP port costs with Auto-Det ect when the port is part of a port trunk. You can overr ...
Allied Telesis AT-S63 - page 219

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 219 T able 19. Port Priority V alue Increment s Increment Bridge Priority Increment Bridge Priority 0081 2 8 1 16 9 144 2 3 21 01 6 0 3 48 1 1 176 4 6 41 21 9 2 5 8 01 32 0 8 6 9 61 42 2 4 7 1 12 15 240 ...
Allied Telesis AT-S63 - page 220

Chapter 20: Spannin g Tree and Rapid Span ning Tree Protocols 220 Section V: Spanning Tree Pro tocols Forwarding Delay and Topology Changes If there is a change in the network topology due to a failure, removal, or addition of any active components, the active topology also changes. This may trigger a change in the state of some blo cked ports. How ...
Allied Telesis AT-S63 - page 221

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 221 seconds and the default is two second s. Consequently, if the AT-9400 Switch is selected as the root bridge of a spa nning tree domain, it transmits a BPDU every two seconds. Point-to-Point and Edge Ports Note This section applies only to RSTP. Part of the task of conf ...
Allied Telesis AT-S63 - page 222

Chapter 20: Spannin g Tree and Rapid Span ning Tree Protocols 222 Section V: Spanning Tree Pro tocols Figure 22. Edge Port A port can be both a point-to-point and an edge port at the same time. It operates in full-duplex and has no ST P or RSTP devices connected to it. Figure 23 illustrates a port functioning a s both a point-to-point and e dge por ...
Allied Telesis AT-S63 - page 223

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 223 Mixed STP and RSTP Networks RSTP IEEE 802.1w is fully compliant with STP IEEE 802.1d. Your network can consist of bridges running both protocols. STP and RSTP in the same network can operate together t o create a single spanning tree domain. If you decide to activate s ...
Allied Telesis AT-S63 - page 224

Chapter 20: Spannin g Tree and Rapid Span ning Tree Protocols 224 Section V: Spanning Tree Pro tocols Spanning Tree and VLANs The spanning tree implementation in the AT-S63 Mana gement Software is a single-instance spanning tree. The switch supports just one spanning tree. You cannot define multiple span ning trees. The single spanning tree encompa ...
Allied Telesis AT-S63 - page 225

Section V: Spanning Tree Protocols 225 Chapter 21 Multiple Spanning T r ee Pr otocol This chapter provides background information on the Multiple Spanning Tree Protocol (MSTP). The sections in this chap ter include:  “Supported Platforms” on p age 226  “Overview” on page 227  “Multiple S panning T ree Inst ance (MSTI)” on page ...
Allied Telesis AT-S63 - page 226

Chapter 21: Multipl e Spanning Tree Protocol 226 Section V: Spanning Tree Pro tocols Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack o ...
Allied Telesis AT-S63 - page 227

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 227 Overview As mentioned in Chapter 20, ”Spanning Tree and Rapid Spanning Tree Protocols” on page 213, STP and RSTP are referred to as single-instance spanning trees that search for physi cal loops across all VLANs in a bridged network. When loops are detecte d , the ...
Allied Telesis AT-S63 - page 228

Chapter 21: Multipl e Spanning Tree Protocol 228 Section V: Spanning Tree Pro tocols Multiple Spanning Tree Instance (MSTI) The individual spanning trees in MSTP are referred to as Multiple Spanning Tree Instances (MST Is). A MSTI can span any number of AT-9400 Switches. The switch can su pport up to 16 MSTIs at a time. To create a MSTI, you first ...
Allied Telesis AT-S63 - page 229

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 229 Figure 25. VLAN Fragmentatio n with STP or RSTP Blocke d Port FAULT RPS MASTER POWER CLASS 1 LASER PRODUCT STA TUS TERMINAL PORT 13579 1 1 2 4 6 8 10 12 13 15 17 19 21 23R 14 16 18 20 22 24R A T-9424T/SP Gigabit Ethernet Switch 1 3 5 7 9 11 13 15 17 19 21 23R 2 4 6 8 1 ...
Allied Telesis AT-S63 - page 230

Chapter 21: Multipl e Spanning Tree Protocol 230 Section V: Spanning Tree Pro tocols Figure 26 illustrates the same two AT-9400 Switches and the same two virtual LANs. But in this example, the two switches are running MSTP and the two VLANs have been assigned different spann ing tree instances. Now that they reside in different MSTIs, both links re ...
Allied Telesis AT-S63 - page 231

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 231 A MSTI can contain more than one VLAN. This is illustrated in Figure 27 where there are two AT-9400 Switches wit h four VLANs. There are two MSTIs, each containing two VLANs. MSTI 1 contains t he Sales and Presales VLANs and MSTI 2 contains the Design and Engineering V ...
Allied Telesis AT-S63 - page 232

Chapter 21: Multipl e Spanning Tree Protocol 232 Section V: Spanning Tree Pro tocols MSTI Guidelines Following are several guidelines to keep in mind about MSTIs:  The AT-9400 Switch can support up to 16 spanning tree instances, including the CIST .  A MSTI can contain a ny number of VLANs.  A VLAN can belong to only o ne MSTI at a time. ? ...
Allied Telesis AT-S63 - page 233

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 233 VLAN and MSTI Associations Part of the task to configu ring MSTP involves assigning VLANs to spanning tree instances. The mapping of VLANs to MSTIs is ca lled associations . A VLAN, either port-based or tagged, can belong to only one instance at a time, but an insta n ...
Allied Telesis AT-S63 - page 234

Chapter 21: Multipl e Spanning Tree Protocol 234 Section V: Spanning Tree Pro tocols Ports in Multiple MSTIs A port can be a member of mo re than one MSTI at a time if it is a tagged member of one or more VLANs assign ed to different MSTI’s. In this circumstance, a port might be have to operate in differen t spanning tree states simultaneously, d ...
Allied Telesis AT-S63 - page 235

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 235 Multiple Spanning Tree Regions Another important concept of MSTP is re gions . A MSTP region is defin ed as a group of bridges that sha re exactly the same MSTI characteristics. Those characteristics are:  Configuration name  Revision number  VLANs  VLAN to ...
Allied Telesis AT-S63 - page 236

Chapter 21: Multipl e Spanning Tree Protocol 236 Section V: Spanning Tree Pro tocols Figure 28 illustrates the concept of regions. It shows one MSTP region consisting of two AT-9400 Switches. Each switch in the region has the same configuration name and revisio n level. The switches also have the same five VLANs and the VLANs are associa ted with t ...
Allied Telesis AT-S63 - page 237

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 237 The same is true for any ports connected to bridge s running the single- instance spanning tree ST P or RSTP. Th ose ports are also considered as part of another region. Each MSTI functions as an independ ent spanning tree within a region. Consequently, each MSTI must ...
Allied Telesis AT-S63 - page 238

Chapter 21: Multipl e Spanning Tree Protocol 238 Section V: Spanning Tree Pro tocols Common and Internal Spanning Tree (CIST) MSTP has a default spanning tree insta nce called the Common and Internal Spanning Tree (CIST). This insta nce has an MSTI ID of 0. This instance has unique features and funct ions that make it different from the MSTIs that ...
Allied Telesis AT-S63 - page 239

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 239 Summary of Guidelines Careful planning is essential for the successful implementation of MSTP. This section reviews all the rules and guidelines mentioned in earlier sections, and contains a few new ones:  The AT-9400 Switch can support up to 16 sp anning tree insta ...
Allied Telesis AT-S63 - page 240

Chapter 21: Multipl e Spanning Tree Protocol 240 Section V: Spanning Tree Pro tocols Note The AT-S63 MSTP implementation comp lies fully with the new IEEE 802.1s standard. Any other vendor’s fully compliant 802.1s implementation is interoperable with the AT-S63 implementation. ...
Allied Telesis AT-S63 - page 241

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 241 Associating VLANs to MSTIs Allied Telesis recommends that you assign all VLANs on a switch to an MSTI. You should not leave a VLAN as signed to just the CIST, including the Default_VLAN. This is to pre v ent the blocking of a port that should be in the forwarding state ...
Allied Telesis AT-S63 - page 242

Chapter 21: Multipl e Spanning Tree Protocol 242 Section V: Spanning Tree Pro tocols Figure 30. CIST and VLAN Guideline - Example 2 When port 4 on switch B receives a BPDU, the swit ch notes the port sending the packet belongs only to CIST. Therefore, switch B uses CIST in determining whether a loop exists. The result would be that the switch detec ...
Allied Telesis AT-S63 - page 243

AT-S63 Management Software Features Guide Section V: Spanning Tree Protocols 243 Connecting VLANs Acro ss Different Regions Special consideration needs to be taken into account when you connect different MSTP regions or an MSTP region and a single-instance STP or RSTP region. Unless planned proper ly, VLAN fragmentation can occu r between the VL AN ...
Allied Telesis AT-S63 - page 244

Chapter 21: Multipl e Spanning Tree Protocol 244 Section V: Spanning Tree Pro tocols Another approach is to group those VLANs that need to span regions into the same MSTI. Those VLANs that d o not span regions can be assigned to other MSTIs. Here is an example. Assume that yo u have two regions that contain the following VLANS: Region 1 VLANs Regio ...
Allied Telesis AT-S63 - page 245

Section VI: Virtual LANs 245 Section VI V irtual LANs The chapters in this section d i scuss the various types of virtual LANs supported by the AT-9400 Switch. The chapters include:  Chapter 22, “Port-based and T agged VLANs” on p age 247  Chapter 23, “GARP VLAN Registration Protocol” on page 261  Chapter 24, “Multiple VLAN Mode ...
Allied Telesis AT-S63 - page 246

246 Section VI: Virtual LANs ...
Allied Telesis AT-S63 - page 247

Section VI: Virtual LANs 247 Chapter 22 Port-based and T agged VLANs This chapter contains overview information about port-base d and tagged virtual LANs (VLANs). This chapter contains the following section s:  “Supported Platforms” on p age 248  “Overview” on page 249  “Port-base d VLAN Overvi ew” on page 251  “T agged VL ...
Allied Telesis AT-S63 - page 248

Chapter 22: Port-based and Tagged VLANs 248 Section VI: Virtual LANs Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 ...
Allied Telesis AT-S63 - page 249

AT-S63 Management Software Features Guide Section VI: Virtual LANs 249 Overview A VLAN is a group of ports on an Ethernet switch that form a logical Ethernet segment. The ports of a VLAN form an indep endent traffic domain where the traffic generated by the nodes of a VLAN remains within the VLAN. With VLANs, you can segment your network through th ...
Allied Telesis AT-S63 - page 250

Chapter 22: Port-based and Tagged VLANs 250 Section VI: Virtual LANs Management Sof tware. Y ou can change the VLAN membership s through the management sof tware without moving the workstations physically , or changing group memberships by moving cables from one switch port to another . In addition, a virtual LAN can sp an more than one switch. Thi ...
Allied Telesis AT-S63 - page 251

AT-S63 Management Software Features Guide Section VI: Virtual LANs 251 Port-based VLAN Overview As explained in “Overview” on page 249 , a VLAN consists of a group of ports on one or more Et hernet switches that form an independent traffic domain. Traffic generated by the end nodes of a VLAN remains within the VLAN and does not cross over to th ...
Allied Telesis AT-S63 - page 252

Chapter 22: Port-based and Tagged VLANs 252 Section VI: Virtual LANs three AT-9400 Switches, you would assign the Ma rketing VLAN on each switch the same VID. You can assign this number manually or allow the AT-S63 Management Software to do it automatically. If you a llow the management software to do it automatically, it selects the next availab l ...
Allied Telesis AT-S63 - page 253

AT-S63 Management Software Features Guide Section VI: Virtual LANs 253 Guidelines to Creating a Port- based VLAN Below are the guidelin es to creating a port-based VLAN.  Each port-based VLAN must be assigned a unique VID. If a particular VLAN spans multiples switch es, each part of the VLAN o n the different switches should be assigned the same ...
Allied Telesis AT-S63 - page 254

Chapter 22: Port-based and Tagged VLANs 254 Section VI: Virtual LANs Port-based Example 1 Figure 32 illustrates an example of one AT-9424T/SP Gigabit Ethernet Switch with three port-based VLANs. (For p urposes of the following examples, the Default_VLAN is not shown.) Figure 32. Port-based VLAN - Example 1 The table below lists t he port assignment ...
Allied Telesis AT-S63 - page 255

AT-S63 Management Software Features Guide Section VI: Virtual LANs 255 In the example, each VLAN has one port connected to the router. The router interconnects the various VLANs and functions as a gateway to the WAN. Port-based Example 2 Figure 33 illustrates more port-based VL ANs. In this example, two VLANs, Sales and Engineering, span two AT-94 ...
Allied Telesis AT-S63 - page 256

Chapter 22: Port-based and Tagged VLANs 256 Section VI: Virtual LANs The table below lists t he port assignments fo r the Sales, Engineering, and Production VLANs on the switches:  Sales VLAN - This VLAN sp ans both switches. It has a VID value of 2 and consists of six untagged ports on the top switch and five untagged ports on the bo ttom switc ...
Allied Telesis AT-S63 - page 257

AT-S63 Management Software Features Guide Section VI: Virtual LANs 257 Tagged VLAN Overview The second type of VLAN supported b y the AT-S63 Management Software is the tagged VLAN . VLAN membership in a tagged VLAN is determined by information within the frames that are received on a port. This differs from a port-based VLAN, where the PVIDs assign ...
Allied Telesis AT-S63 - page 258

Chapter 22: Port-based and Tagged VLANs 258 Section VI: Virtual LANs  Port VLAN Identifier Note For explanations of VLAN n ame and VLAN identifier, refer back to “VLAN Name” on page 251 and “VLAN Identifier” on page 251. Tagged and Untagged Ports You need to specify which ports will be members of the VLAN. In the case of a tagged VLAN, i ...
Allied Telesis AT-S63 - page 259

AT-S63 Management Software Features Guide Section VI: Virtual LANs 259 Tagged VLAN Example Figure 34 illustrates how tagged ports ca n be used to interconnect IEEE 802.1Q-based products. Figure 34. Example of a Tagged VLAN WA N 2 3 4 5 6 79 1 9 12 1 2 3 17 15 11 13 8 10 12 14 18 20 22 24 16 2 3 4 5 6 79 1 9 12 1 2 3 17 15 11 13 8 10 12 14 18 20 22 ...
Allied Telesis AT-S63 - page 260

Chapter 22: Port-based and Tagged VLANs 260 Section VI: Virtual LANs The port assignments for the VLANs ar e as follows: This example is nearly identical to the “Port-based Example 2” on page 255. Tagged ports have been added to simplify network implementation and management. One of the tagged ports is port 2 on the top switch. This port has be ...
Allied Telesis AT-S63 - page 261

Section VI: Virtual LANs 261 Chapter 23 GARP VLAN Registration Pr otocol This chapter describes the GARP VLAN Registration Protocol (GVRP) and contains the following sections:  “Supported Platforms” on p age 262  “Overview” on page 263  “Guidelines” on p age 266  “GVRP and Network Security” on p age 267  “GVRP-inact ...
Allied Telesis AT-S63 - page 262

Chapter 23: GARP VLAN Registrat ion Protocol 262 Section VI: Virtual LANs Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Lay ...
Allied Telesis AT-S63 - page 263

AT-S63 Management Software Features Guide Section VI: Virtual LANs 263 Overview The GARP VLAN Registration Protocol (GVRP) allows network devices to share VLAN information. The main purpose of GVRP is to allow switches to automatically discover some of the VLAN information that would otherwise need to be manua lly configured in each switch. This is ...
Allied Telesis AT-S63 - page 264

Chapter 23: GARP VLAN Registrat ion Protocol 264 Section VI: Virtual LANs Figure 35 provides an exa mple of how GVRP works. Figure 35. GVRP Example Switches #1 and #3 contain t he Sales VLAN, but switch #2 does not. Consequently, the end nodes of the two parts of the Sales VLANs are unable to communicate with each other. Without GVRP, you would nee ...
Allied Telesis AT-S63 - page 265

AT-S63 Management Software Features Guide Section VI: Virtual LANs 265 as an tagged dynamic GVRP port. If t he port is already a me mber of the VLAN, then no change is made. 5. Switch #3 sends a PDU out port 4 to switch #2. 6. Switch #2 receives the PDU on port 3 and then adds the p ort as a tagged dynamic GVRP port to t he dynamic GVRP_VLAN_11 VLA ...
Allied Telesis AT-S63 - page 266

Chapter 23: GARP VLAN Registrat ion Protocol 266 Section VI: Virtual LANs Guidelines Following are guidelines to obser ve when using this feature:  GVRP is supported with STP and RSTP , or wit hout spanning tree. GVRP is not supported with MSTP .  GVRP is supported when the switch is operating in the t agged VLAN mode, which is the VLAN mode ...
Allied Telesis AT-S63 - page 267

AT-S63 Management Software Features Guide Section VI: Virtual LANs 267 GVRP and Network Security GVRP should be used with caution b e ca use it can expose your network to unauthorized access. A network intruder can access to rest ricted parts of the network by connecting to a swit ch port running GVRP and transmitting a bogus GVRP PDU containing VI ...
Allied Telesis AT-S63 - page 268

Chapter 23: GARP VLAN Registrat ion Protocol 268 Section VI: Virtual LANs GVRP-inactive Intermediate Switches If two GVRP-active devices are separat ed by a GVRP-inactive switch, the GVRP-active devices may not be able to share VL AN information. There are two issues involved. The first is whether the intermediate switch forwards the GVRP PDUs th a ...
Allied Telesis AT-S63 - page 269

AT-S63 Management Software Features Guide Section VI: Virtual LANs 269 Generic Attribute Registration Protocol (GARP) Overview The following is a technical overview of GARP. An understanding of GARP may prove helpful when you u se GVRP. The purpose of the Generic Attribute Registration Protocol (GARP) is to provide a generic framework where by devi ...
Allied Telesis AT-S63 - page 270

Chapter 23: GARP VLAN Registrat ion Protocol 270 Section VI: Virtual LANs GARP architecture is shown in Figure 36. Figure 36. GARP Architecture The GARP application component of the GARP participa nt is responsible for defining the semantics associated with the parameter values and operators received in GARP PDUs, and for generating GARP PDUs for t ...
Allied Telesis AT-S63 - page 271

AT-S63 Management Software Features Guide Section VI: Virtual LANs 271 Figure 37. GID Architecture GARP registers and deregisters attribute values through GARP messages sent at the GID level. A GARP participant that wishes to make a declaration (an applicant registering an attribute value) sends a JoinIn or JoinEmpty message. An applicant that wish ...
Allied Telesis AT-S63 - page 272

Chapter 23: GARP VLAN Registrat ion Protocol 272 Section VI: Virtual LANs To control the applicant state machine, an applicant admin i strative control parameter is provided. This parameter dete rmines whether or not the applicant state machine participates in GARP protocol exchanges. The default value has the applicant pa rticipating in the exchan ...
Allied Telesis AT-S63 - page 273

Section VI: Virtual LANs 273 Chapter 24 Multiple VLAN Modes This chapter describes the multiple VLAN mo des. This chapter contains the following sections:  “Supported Platforms” on p age 274  “Overview” on page 275  “802.1Q- Compliant Multiple VLAN Mode” on p age 276  “Non-802.1Q Compliant Multiple VLAN Mode” on p age 27 ...
Allied Telesis AT-S63 - page 274

Chapter 24: Multipl e VLAN Modes 274 Section VI: Virtual LANs Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switche ...
Allied Telesis AT-S63 - page 275

AT-S63 Management Software Features Guide Section VI: Virtual LANs 275 Overview The multiple VLAN modes are designed to simplify the task of configuring the switch in network environments that require a high deg ree of network segmentation. In a multiple VLAN mode, the ports on a switch are prohibited from forwarding traffic to each other and are o ...
Allied Telesis AT-S63 - page 276

Chapter 24: Multipl e VLAN Modes 276 Section VI: Virtual LANs 802.1Q- Compliant Multiple VLAN Mode In this mode, each port is placed into a sep a rate VLAN as an untagged port. The VLAN names and VID numbers are based on the port numb ers. For example, the VLAN for port 4 is named Client_VLAN_4 a nd is given the VID of 4, the VLAN for port 5 is nam ...
Allied Telesis AT-S63 - page 277

AT-S63 Management Software Features Guide Section VI: Virtual LANs 277 This highly segmented confi guration is useful in situations where traffic generated by each end no de or network segment connected to a port on the switch needs to be kept separate from all other n etwork traffic, while still allowing access to an uplink to a WAN. Unicast traff ...
Allied Telesis AT-S63 - page 278

Chapter 24: Multipl e VLAN Modes 278 Section VI: Virtual LANs Non-802.1Q Compliant Multiple VLAN Mode Unlike the 802.1Q-compliant VL AN mode, which isolates port traffic by placing each port in a separate VLAN, this mode forms o ne VLAN with a VID of 1 that encompasses all po rts. To establish traffic isolation, it uses port mapping. The result, ho ...
Allied Telesis AT-S63 - page 279

Section VI: Virtual LANs 279 Chapter 25 Pr otected Ports VLANs This chapter explains protecte d ports VLANs. It contains the following sections:  “Supported Platforms” on p age 280  “Overview” on page 281  “Guidelines” on p age 283 ...
Allied Telesis AT-S63 - page 280

Chapter 25: Protected Ports VLANs 280 Section VI: Virtual LANs Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switch ...
Allied Telesis AT-S63 - page 281

AT-S63 Management Software Features Guide Section VI: Virtual LANs 281 Overview The purpose of a protected ports VL AN is to allow multiple ports on the switch to share the same uplink port but not share traffic with each other. This feature has some of the same ch aracteristics as the multiple VLAN modes described in the previous chapter , but it ...
Allied Telesis AT-S63 - page 282

Chapter 25: Protected Ports VLANs 282 Section VI: Virtual LANs To create a protected ports VLAN, you perform many of the same steps that you do when you create a new port-b ased or tagged VLAN. You give it a name and a unique VID, and you indicate which of the ports will be tagged and untagged. What makes creating this type of VLAN different is tha ...
Allied Telesis AT-S63 - page 283

AT-S63 Management Software Features Guide Section VI: Virtual LANs 283 Guidelines Following are the guidelines for im plementing p rotected ports VLANS:  A protected port s VLAN should contain a minimum of two group s. A protected port s VLAN of only one group can be replaced with a p o rt- based or tagged VLAN instea d.  A protected port s V ...
Allied Telesis AT-S63 - page 284

Chapter 25: Protected Ports VLANs 284 Section VI: Virtual LANs ...
Allied Telesis AT-S63 - page 285

Section VI: Virtual LANs 285 Chapter 26 MAC Addr ess-based VLANs This chapter contains overview information about MAC address-based VLANs. Sections in the chapter includ e:  “Supported Platforms” on p age 286  “Overview” on page 287  “Egress Ports” on p age 288  “VLANs That S pa n Switches” on p age 291  “VLAN Hiera ...
Allied Telesis AT-S63 - page 286

Chapter 26: MAC Address-b ased VLANs 286 Section VI: Virtual LANs Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models Not supported.  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches and the A T-S tackXG S tacki ...
Allied Telesis AT-S63 - page 287

AT-S63 Management Software Features Guide Section VI: Virtual LANs 287 Overview As explained in “Overview” on page 249, VLANs are a means for creating independent LAN segments within a network and are typically employed to improve network performance a nd security. The AT-S63 Management Software offers several different types of VLANs, includin ...
Allied Telesis AT-S63 - page 288

Chapter 26: MAC Address-b ased VLANs 288 Section VI: Virtual LANs Egress Ports Implementing a MAC address-based VLAN involves more than entering the MAC addresses of the end nodes that are members of the VLAN. You must also designate the egress ports o n the switch for the packets from the nodes. The egress ports d efine the limits of flooding of p ...
Allied Telesis AT-S63 - page 289

AT-S63 Management Software Features Guide Section VI: Virtual LANs 289 The community characteristic of egress po rts relieves you from having to map each address to its corresponding egress port. You only need to be sure that all egress ports in a MAC address-based VLAN are represented at least once by being assig ned to at least on e address. It i ...
Allied Telesis AT-S63 - page 290

Chapter 26: MAC Address-b ased VLANs 290 Section VI: Virtual LANs If security is a major concern for your network, yo u might not want to assign a port as an egress port to more tha n one VLAN when pla nning your MAC address-based VLANs. When a packet whose source MAC address is part of a MAC address- based VLAN arrives on a port, the switch perfor ...
Allied Telesis AT-S63 - page 291

AT-S63 Management Software Features Guide Section VI: Virtual LANs 291 VLANs That Span Switches To create a MAC address-based VLAN that spa n s switches, you must replicate the MAC addresses of the VLAN nodes on all the switches where the VLAN exists. The same MAC addre ss-based VLAN on different switches must have the same list of MAC a ddresses. ...
Allied Telesis AT-S63 - page 292

Chapter 26: MAC Address-b ased VLANs 292 Section VI: Virtual LANs T able 23. Example of a MAC Address-based VLAN S p anning Switches Switch A Switch B VLAN Name: Sales VLAN Name: Sales MAC Address Egress Ports MAC Address Egress Ports Address_1 1,3,4,5 Address_1 1 1,12,14,16 Address_2 1 Address_2 1 1 Address_3 1 Address_3 1 1 Address_4 1 Address_4 ...
Allied Telesis AT-S63 - page 293

AT-S63 Management Software Features Guide Section VI: Virtual LANs 293 VLAN Hierarchy The switch’s management software employs a VLAN hierarchy when handling untagged packets that arrive on a port that is an egress port of a MAC address-based VLAN as well as an untagged port of a port-based VLAN. (A port can be a member of both types of VLANs at ...
Allied Telesis AT-S63 - page 294

Chapter 26: MAC Address-b ased VLANs 294 Section VI: Virtual LANs Steps to Creating a MAC Address-based VLAN Here are the three main steps to creating a MAC address-based VLAN: 1. Assign the VLAN a name and a VID. You must also set the VLAN type to MAC Based. 2. Assign the MAC addresses to the VLAN. 3. Add the egress ports to the MAC ad dresses. Th ...
Allied Telesis AT-S63 - page 295

AT-S63 Management Software Features Guide Section VI: Virtual LANs 295 Guidelines Follow these guidelines when imp l ementing a MAC address-based VLAN:  MAC address-based VLANs are not supported on the A T-9408LC/SP, A T-9424T/GB and A T-9424T/SP switches.  The switch can support up to a tot al of 4094 port-based, tagged, protected port s, an ...
Allied Telesis AT-S63 - page 296

Chapter 26: MAC Address-b ased VLANs 296 Section VI: Virtual LANs  Egress ports canno t be part o f a static or LACP trunk.  Since this type of VLAN does not sup port tagge d packet s, it is not suitable in environment s where a network device, such as a network server , needs to be shared between multiple VLANs.  Ports 49 and 50 on the A ...
Allied Telesis AT-S63 - page 297

Section VII: Internet Proto col Routing 297 Section VII Routing This section has the following chapters:  Chapter 27, “Internet Protoco l V ersion 4 Packet Routing” on page 299  Chapter 28, “BOOTP Relay Agent” on page 331  Chapter 29, “V irtual Router Redundancy Protocol” on pag e 337 ...
Allied Telesis AT-S63 - page 298

298 Section VII: Internet Pro tocol Routing ...
Allied Telesis AT-S63 - page 299

299 Chapter 27 Internet Pr otocol V ersion 4 Packet Routing This chapter describes Internet Protocol version 4 (IPv4) packet routing on the AT-9400 Basic Layer 3 Switc hes. The chapt er covers routing interfaces, static routes, and the Routing Information Protocol (RIP) versions 1 and 2. The sections in the ch apter include:  “Supported Platfo ...
Allied Telesis AT-S63 - page 300

Chapter 27: Internet Protocol Version 4 Packet Routing 300 Section VII: Routing Supported Platforms This feature is supported on the following switches:  Layer 2+ Models – Not supported  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches and the A T-S tackXG ...
Allied Telesis AT-S63 - page 301

AT-S63 Management Software Features Guide Section VII: Routin g 301 Overview This section contains an overview of the IPv4 routing feature on the AT-9400 Switch. It begins with an explana tion of the following available routing me thods:  Routing interfaces  S tatic routes  RIP version 1 and 2 A routing interface is a logical connection to ...
Allied Telesis AT-S63 - page 302

Chapter 27: Internet Protocol Version 4 Packet Routing 302 Section VII: Routing At the end of this overview are two examples that illustrate the sequence of commands to implementing the featu res described in this chapter. You can refer there to see how the commands are used in practice. The sections are “Routing Command Exam ple” on page 324 a ...
Allied Telesis AT-S63 - page 303

AT-S63 Management Software Features Guide Section VII: Routin g 303 Routing Interfaces The IPv4 packet routing feature o n the switch is built on the foundation of the routing interface. An interface f unctio ns as a logical connection to a subnet that allows the egress and ingr ess of IPv4 packets to the subnet from other local and remote networks ...
Allied Telesis AT-S63 - page 304

Chapter 27: Internet Protocol Version 4 Packet Routing 304 Section VII: Routing Note Routing interfaces can be configured from either the command line interface or the menus interface. The following subsections describe th e three main components of a routing interface:  VLAN ID (VID)  Interface number  IP address and subnet mask VLAN ID ( ...
Allied Telesis AT-S63 - page 305

AT-S63 Management Software Features Guide Section VII: Routin g 305 the other interfaces in the same VLAN must be assig ned manually. For example, if there are four interfaces and each of their respective subnets resided in a separate VLAN, the n each interface can obtain its IP addre ss and subnet mask from a DHCP or BOOTP server. However, if the ...
Allied Telesis AT-S63 - page 306

Chapter 27: Internet Protocol Version 4 Packet Routing 306 Section VII: Routing Interface Names Many of the IPv4 routing commands have a parameter for an interface name. An interface name consists of a VLAN and an interface nu mber, separated by a dash. The VLAN is designa ted by “vlan” followed by the VLAN identification number (VID) or the VL ...
Allied Telesis AT-S63 - page 307

AT-S63 Management Software Features Guide Section VII: Routin g 307 Static Routes In order for the switch to route an IPv4 packet to a remote network or subnet, there must be a route to the de stination in the routing table of the switch. The route must consist of the I P address of the remote de stination and the IP address of the next hop to reac ...
Allied Telesis AT-S63 - page 308

Chapter 27: Internet Protocol Version 4 Packet Routing 308 Section VII: Routing destination. The range for the prefere nce parameter is 0 to 65535. The lower the value, the higher the prefere nce. The default value for a static route is 60. The commands for managing static routes are ADD IP ROUTE, DELETE IP ROUTE, and SET IP ROUTE. Note The command ...
Allied Telesis AT-S63 - page 309

AT-S63 Management Software Features Guide Section VII: Routin g 309 Routing Information Protocol (RIP) A switch can automatically learn routes to remo te destinations by sharing the contents of its routing table with its neighboring routers in the network with the Routing Information Protocol (RIP) version s 1 and 2. RIP is a fairly simple distance ...
Allied Telesis AT-S63 - page 310

Chapter 27: Internet Protocol Version 4 Packet Routing 310 Section VII: Routing their tables. Note A RIP version 2 password is sent in plaintext. The AT -S63 Management Software does not support encr ypted RIP passwords. The switch broadcasts its routing t able every thirty seconds from those interfaces that have RIP. This interval is not adjustabl ...
Allied Telesis AT-S63 - page 311

AT-S63 Management Software Features Guide Section VII: Routin g 311 Default Routes A default route is used when the switch cann ot find a route in its routing table for a packet that needs to be forwarded to a remote destination. Rather than discard the packet, the switch sends it to the next hop specified in the default route. A default route has ...
Allied Telesis AT-S63 - page 312

Chapter 27: Internet Protocol Version 4 Packet Routing 312 Section VII: Routing Equal-cost Multi-path (ECMP) Routing The routing table uses ECMP to store multiple routes to a remote destination so that the switch can dist ribute the traffic load over several routes. This can improve network perfo rmance by increasing the available bandwidth for tra ...
Allied Telesis AT-S63 - page 313

AT-S63 Management Software Features Guide Section VII: Routin g 313 ECMP also applies to default routes. This enab les the switch to store up to 32 default routes with up to eight of the routes active at one time. The ECMP feature can be enable d and disabled on the switch. The operating status of ECMP does not a ffect the switch’s ability to sto ...
Allied Telesis AT-S63 - page 314

Chapter 27: Internet Protocol Version 4 Packet Routing 314 Section VII: Routing Routing Table The switch maintains its routing information in a table of routes that tells the switch how to find a local or remote destinatio n. Each route is uniquely identified in the table by its IP add ress, network mask, next hop, p rotocol, and routing interface. ...
Allied Telesis AT-S63 - page 315

AT-S63 Management Software Features Guide Section VII: Routin g 315 Address Resolution Protocol (ARP) Table The switch maintains an ARP table of IP addresses and the ma tching Ethernet MAC addresses. It refers to the tab le when routing packets to determine the destination MAC addres ses of the nodes, as well as interfaces and ports from where the ...
Allied Telesis AT-S63 - page 316

Chapter 27: Internet Protocol Version 4 Packet Routing 316 Section VII: Routing Internet Control Message Protocol (ICMP) ICMP allows routers to send error and control messa ges to other routers or hosts. It provides the comm unication between IP software on one system and IP software on another. The switch impleme nts the non- obsolete ICMP functio ...
Allied Telesis AT-S63 - page 317

AT-S63 Management Software Features Guide Section VII: Routin g 317 T ime to Live Exceeded (1 1) If the TTL fie ld in a packet falls to zero the switch wil l send a “T ime to live exceeded” packet. This could occur if a route was excessively long or if too many hop s were in the path. T able 24. ICMP Messages Implemented on the A T-9400 Switch ...
Allied Telesis AT-S63 - page 318

Chapter 27: Internet Protocol Version 4 Packet Routing 318 Section VII: Routing Routing Interfaces and Management Features Routing interfaces are primary intende d for the IPv4 packet routing feature. There are, however, a number of management functions that rely on the presence of at least one routing inte rface on the switch to operate properly. ...
Allied Telesis AT-S63 - page 319

AT-S63 Management Software Features Guide Section VII: Routin g 319 As an example, assume you decided not to implement t he IPv4 routing feature on a switch that had four local su bnets, but you wanted the switch to send its events to a syslog se rver and have access to a RADIUS authentication server. Assume also that you wan ted to use a TFTP serv ...
Allied Telesis AT-S63 - page 320

Chapter 27: Internet Protocol Version 4 Packet Routing 320 Section VII: Routing Pinging a Remote Device This function is used to valid ate the existence of an active path between the switch and another network node. T he switch can ping a device if there is a routing interface on th e local subnet from where it reaches the device. In previous versi ...
Allied Telesis AT-S63 - page 321

AT-S63 Management Software Features Guide Section VII: Routin g 321 Local Interface The local interface is used with the enhanced stacking feature . It is also used with remote management of a switch with a Telnet or SSH client, or a web browser. The local interface d oes the following:  With an enhanced stack, it designates on the master switch ...
Allied Telesis AT-S63 - page 322

Chapter 27: Internet Protocol Version 4 Packet Routing 322 Section VII: Routing AT-9408LC/SP AT-9424T/GB, and AT-9424T/SP Switches The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches d o not support the IPv4 packet routing fe ature. T hey do, however, support a limited version of some of the fe atures. Local Interface You can create one routing ...
Allied Telesis AT-S63 - page 323

AT-S63 Management Software Features Guide Section VII: Routin g 323 Note The AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP Switches do not use the ARP table to move packets through the switching matrix. They refer to the table only when they perform a management function requiring them to communicate with ano ther network node. Default Gateway The def ...
Allied Telesis AT-S63 - page 324

Chapter 27: Internet Protocol Version 4 Packet Routing 324 Section VII: Routing Routing Command Example This section contains an example of the IPv4 routing feature. It illustrates the sequence of commands to implementing the feature. To make the example easier to explain, some of the co mmand options are not mentioned and the default valu es are u ...
Allied Telesis AT-S63 - page 325

AT-S63 Management Software Features Guide Section VII: Routin g 325 Creating the VLANs The first step is to create the VLANs for the lo cal subnets on the switch. The VLANs must be created be fore the routing interfaces. The following command creates a VLAN for the Sales department with a VID of 4 a nd the appropriate ports: create vlan =Sales vi d ...
Allied Telesis AT-S63 - page 326

Chapter 27: Internet Protocol Version 4 Packet Routing 326 Section VII: Routing command. Adding a Static Route and Default Route Building on our example, assume you d ecided to manually enter a route to a remote subnet as a static route. The command for creating a static route is ADD IP ROUTE. Here is the basic information for defining a static rou ...
Allied Telesis AT-S63 - page 327

AT-S63 Management Software Features Guide Section VII: Routin g 327 Adding RIP Rather than adding the static routes to remo te destinations, or perhaps to augment them, you decide that the switch should learn routes by exchanging its route table with its rou ting neighbors using RIP. To implement RIP, you add it to the routing interfaces where rout ...
Allied Telesis AT-S63 - page 328

Chapter 27: Internet Protocol Version 4 Packet Routing 328 Section VII: Routing Non-routing Command Example This example illustrates how to assign an IP address to a switch by creating just one interface. This example is appropriate in ca ses where you want to implement the managem en t functions described in “Routing Interfaces and Management Fe ...
Allied Telesis AT-S63 - page 329

AT-S63 Management Software Features Guide Section VII: Routin g 329 The following command creates a defau lt route for the example and specifies the next hop as 149.44.55.6: add ip rout e=0.0.0.0 nexthop=14 9.44.55.6 ...
Allied Telesis AT-S63 - page 330

Chapter 27: Internet Protocol Version 4 Packet Routing 330 Section VII: Routing Upgrading from AT-S63 Version 1.3.0 or Earlier When the AT-9400 Switch running AT-S63 version 1.3.0 or earlier is upgraded to the latest version of the manag ement software, the switch automatically creates a routing interface that preserves the previous IP configuratio ...
Allied Telesis AT-S63 - page 331

331 Chapter 28 BOOTP Relay Agent This chapter has the following sections:  “Supported Platforms” on p age 332  “Overview” on page 333  “Guidelines” on p age 335 ...
Allied Telesis AT-S63 - page 332

Chapter 28: BOOTP Relay Age nt 332 Section VII: Routing Supported Platforms This feature is supported on the following switches:  Layer 2+ Models – Not supported  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches and the A T-S tackXG S tackin g Module – N ...
Allied Telesis AT-S63 - page 333

AT-S63 Management Software Features Guide Section VII: Routin g 333 Overview The AT-S63 Management Software comes with a BOOTP relay age nt for relaying BOOTP messages between clients and DHCP or BOOTP servers. When a client sends a BOOTP reques t to a DHCP or BOOTP server for an IP configuration, it transmits the request as a broadcast packet beca ...
Allied Telesis AT-S63 - page 334

Chapter 28: BOOTP Relay Age nt 334 Section VII: Routing A routing interface that receives a BOOTP reply from a server inspects the broadcast flag field in the packet to det ermine whether the client, in its original request to the server, set this flag to signal that the re sponse must be sent as a broadcast datagram. Some olde r nodes have this de ...
Allied Telesis AT-S63 - page 335

AT-S63 Management Software Features Guide Section VII: Routin g 335 Guidelines These guidelines apply to the BOOTP relay agent:  A routing interface functions as th e BOOTP relay agent for the local clients in it s subnet.  Y ou can specify up to eight DHCP or BOOTP servers.  The hop count for BOOTP requ ests is preset on the A T -9400 Swi ...
Allied Telesis AT-S63 - page 336

Chapter 28: BOOTP Relay Age nt 336 Section VII: Routing ...
Allied Telesis AT-S63 - page 337

337 Chapter 29 V irtual Router Redundancy Pr otocol The chapter has the following sections:  “Supported Platforms” on p age 338  “Overview” on page 339  “Master Switch” on page 340  “Backup Switches” on pag e 341  “Interface Monitoring” on p age 342  “Port Monitoring” on page 343  “VRRP on the Switch? ...
Allied Telesis AT-S63 - page 338

Chapter 29: Virtual Rout er Redundancy Protocol 338 Section VII: Routing Supported Platforms This feature is supported on the following switches:  Layer 2+ Models – Not supported  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches and the A T-S tackXG S tack ...
Allied Telesis AT-S63 - page 339

AT-S63 Management Software Features Guide Section VII: Routin g 339 Overview This chapter describes the Virtual Router Redundancy Protocol (VRRP) support provided by the switch. One of the functions performed by swit ches is to act as a gateway to the WAN for hosts on a LAN. On larger LANs, two or more switches may act as the gateway, and hosts use ...
Allied Telesis AT-S63 - page 340

Chapter 29: Virtual Rout er Redundancy Protocol 340 Section VII: Routing Master Switch The virtual router has a virtual MAC address known by all th e switches participating in the virtual router. T he virtual MAC address is derived from the virtual router identifie r, which is a user-defined value from 1 to 255. All hosts on the LAN are configured ...
Allied Telesis AT-S63 - page 341

AT-S63 Management Software Features Guide Section VII: Routin g 341 Backup Switches All the other switches participating in the virtua l router are designated as backup switches. A switch can be part of several diffe rent virtual routers on one LAN, provided that all the virtual routers have different virtual router identifiers. When a switch funct ...
Allied Telesis AT-S63 - page 342

Chapter 29: Virtual Rout er Redundancy Protocol 342 Section VII: Routing Interface Monitoring The virtual router can monitor certain inte rfaces to change the priority o f switches if the master switch loses its connection to th e outside world. This is known as interface monitoring . Interface monitoring reduces the priority of the switch when an ...
Allied Telesis AT-S63 - page 343

AT-S63 Management Software Features Guide Section VII: Routin g 343 Port Monitoring Port monitoring is the process of detecting the failure of ports that are part of a VLAN that a virtual rou ter is running over. If a port fails or is disabled, the VRRP priority is reduced by the st epvalue or by an amount that reflects the proportion of the VLAN? ...
Allied Telesis AT-S63 - page 344

Chapter 29: Virtual Rout er Redundancy Protocol 344 Section VII: Routing VRRP on the Switch VRRP is disabled by default. When a virtual router is crea ted on the switch, it is enabled by default, but the VRRP mo dule must be enabled before it is operational. The VRRP modul e or a specific virtual router can be enabled or disabled afterwards by usin ...
Allied Telesis AT-S63 - page 345

AT-S63 Management Software Features Guide Section VII: Routin g 345 prevents a switch from inadvertently backing up another switch. The authentication type and, in the case of pla intext authentication, the password, must be the same for all switches in the virtual router. By default, the virtual router has no authent ication. Auth entication is se ...
Allied Telesis AT-S63 - page 346

Chapter 29: Virtual Rout er Redundancy Protocol 346 Section VII: Routing ...
Allied Telesis AT-S63 - page 347

Section VIII: Port Secu rity 347 Section VIII Port Security The chapters in this section contai n overview information on the port security features of the AT-9400 Switch. The chapter s include:  Chapter 30, “MAC Address-based Port Security” on page 349  Chapter 31, “802.1x Port-based Network Access Control” on p age 355 ...
Allied Telesis AT-S63 - page 348

348 Section VIII: Port Security ...
Allied Telesis AT-S63 - page 349

Section VIII: Port Secu rity 349 Chapter 30 MAC Addr ess-based Port Security The sections in this chapter include:  “Supported Platforms” on p age 350  “Overview” on page 351  “Invalid Frames and Intrusion Actions” on p age 353  “Guidelines” on p age 354 ...
Allied Telesis AT-S63 - page 350

Chapter 30: MAC Address-b ased Port Security 350 Section VIII: Port Security Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic ...
Allied Telesis AT-S63 - page 351

AT-S63 Management Software Features Guide Section VIII: Port Security 351 Overview You can use this feature to enha nce the security of your network by controlling which end nodes can forwar d frames through the switch, and so prevent unauthorized individuals from accessing your network. It uses a frame’s source MAC address to dete rmine whether ...
Allied Telesis AT-S63 - page 352

Chapter 30: MAC Address-b ased Port Security 352 Section VIII: Port Security Secured This security level uses only static MAC addresses assigned to a port to forward frames. Consequently, only those end nodes whose MAC addresses are entered as static addresses are able to fo rward frames through a port. Dynamic MAC addresses already le arned on a p ...
Allied Telesis AT-S63 - page 353

AT-S63 Management Software Features Guide Section VIII: Port Security 353 Invalid Frames and Intrusion Actions When a port receives an invalid frame, it has to select an in trusion action , which defines the port’s response to the packet. But before defining the intrusion actions, it helps to understand wh at constitutes an invalid frame. This di ...
Allied Telesis AT-S63 - page 354

Chapter 30: MAC Address-b ased Port Security 354 Section VIII: Port Security Guidelines The following guidelines apply to MAC address-based port security:  The filtering of a packet occurs on th e ingress port, not on the egress port.  Y ou cannot use MAC address port security and 802.1x port-based access control on the same port. T o configu ...
Allied Telesis AT-S63 - page 355

Section VIII: Port Secu rity 355 Chapter 31 802.1x Port-based Network Access Contr ol The sections in this chapter a re:  “Supported Platforms” on p age 356  “Overview” on page 357  “Authentication Process” on p age 359  “Port Roles” on page 3 60  “Authenticator Ports with Single and Multiple Supplicants” o n page ...
Allied Telesis AT-S63 - page 356

Chapter 31: 802.1x Port-based Network Access Con trol 356 Section VIII: Port Security Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack ...
Allied Telesis AT-S63 - page 357

AT-S63 Management Software Features Guide Section VIII: Port Security 357 Overview The AT-S63 Management Software has several different metho ds for protecting your network and its reso urces from unauthorized access. For instance, Chapter 30, “MAC Address-b ased Port Security” on page 349, explains how you can restrict network access using the ...
Allied Telesis AT-S63 - page 358

Chapter 31: 802.1x Port-based Network Access Con trol 358 Section VIII: Port Security  Authentication server - The authentication server is the network device that has the RADIUS server sof tware. This is the device that does the actual authenticating of the supplicant s. The AT-9400 Switch does not authenticate any of the su pplicants connected ...
Allied Telesis AT-S63 - page 359

AT-S63 Management Software Features Guide Section VIII: Port Security 359 Authentication Process Below is a brief overvie w of the authenticat ion process that occurs between a supplicant, authenticator, and authentication server. For further details, refer to the IEEE 802.1x sta ndard.  Either the authenticator (th at is, a switch port) or the ...
Allied Telesis AT-S63 - page 360

Chapter 31: 802.1x Port-based Network Access Con trol 360 Section VIII: Port Security Port Roles Part of the task of implementing this feat ure is specifying the roles of the ports on the switch. A port can have one o f three roles:  None  Authenticator  Supplicant None Role A switch port in the None role does not participate in port-based ...
Allied Telesis AT-S63 - page 361

AT-S63 Management Software Features Guide Section VIII: Port Security 361 Assigning unique username and password combinations to your network users and requiring the users to provide the information when they initially send traf fic through the switch can enhance network security by limiting network access to only those su pplicants who h ave been ...
Allied Telesis AT-S63 - page 362

Chapter 31: 802.1x Port-based Network Access Con trol 362 Section VIII: Port Security Note A supplicant connected to an authenticat or port set to force- authorized must have 802.1x client software if the port’s authenticator mode is 802.1x. Though the fo rce-authorized setting prevents an authentication exchan ge, the supplicant must still have ...
Allied Telesis AT-S63 - page 363

AT-S63 Management Software Features Guide Section VIII: Port Security 363 Authenticator Ports with Single and Multiple Supplicants An authenticator port has two operating modes. The modes relate to t he number of clients using the port and, in situations where an authenticator port is supporting more than one client, whether just one client or all ...
Allied Telesis AT-S63 - page 364

Chapter 31: 802.1x Port-based Network Access Con trol 364 Section VIII: Port Security Figure 40. Authenticator Port in Single Operating Mode with a Single Client The example in Figure 41 on page 365 illustrates a configu ration that uses the piggy-back mode. Multiple clients are connected to an authenticato r port on the switch through an Ethernet ...
Allied Telesis AT-S63 - page 365

AT-S63 Management Software Features Guide Section VIII: Port Security 365 Figure 41. Single Operating Mode with Multiple Clients Using the Piggy- back Feature - Example 1 Because the piggy-back mode is activated on the authenticat or port, only one client needs to be authenticated in orde r for all the clients to forward traffic through the port. I ...
Allied Telesis AT-S63 - page 366

Chapter 31: 802.1x Port-based Network Access Con trol 366 Section VIII: Port Security If the clients are connected to an 80 2.1x-compliant device, such a s another AT-9400 Switch, you can automate the initial log on and reauthentications by configuring one of the switch ports as a supplicant. In this manner, the log on and reauth entications are pe ...
Allied Telesis AT-S63 - page 367

AT-S63 Management Software Features Guide Section VIII: Port Security 367 Figure 43. Single Operating Mode with Multiple Clients Using the Piggy- back Feature - Example 3 Multiple Operating Mode The second type of operating mode for an authenticator port is the Multiple mode. You can use this mode when a port is supporting more than one client and ...
Allied Telesis AT-S63 - page 368

Chapter 31: 802.1x Port-based Network Access Con trol 368 Section VIII: Port Security An example of this authenticator operating mode is illustrated in Figure 44. The clients are connected to a hub o r non-802.1x-compliant switch which is connected to an authen ticator port on the AT-9400 Switch. If the authenticator port is set to the 802.1x authe ...
Allied Telesis AT-S63 - page 369

AT-S63 Management Software Features Guide Section VIII: Port Security 369 none, port 6 on switch A will discard the packe ts because switch B would not be logged on to the port. Also notice that the ports where the clients are connected on switch B are set to the none role. This is because a client can log on only once. If, in this example, you wer ...
Allied Telesis AT-S63 - page 370

Chapter 31: 802.1x Port-based Network Access Con trol 370 Section VIII: Port Security Supplicant and VLAN Associations One of the challenges to man aging a network is accommodating end users that roam. These are individual s whose work requires that they access the network resources from differe nt points at different times. The difficulty arises i ...
Allied Telesis AT-S63 - page 371

AT-S63 Management Software Features Guide Section VIII: Port Security 371 Single Operating Mode Here are the operating characteristics for the switch when an authen ticator port is set to the Single operating mode:  If the switch receives a valid VLAN ID or VLAN name from the RADIUS server , it moves the authenticator port to the designated VLAN ...
Allied Telesis AT-S63 - page 372

Chapter 31: 802.1x Port-based Network Access Con trol 372 Section VIII: Port Security Guest VLAN An authenticator port in the una uthorized state typically accepts and transmits only 802.1x packets while waiting to a uthenticate a supplicant. However, you can configure an authent icator port to be a member of a Guest VLAN when no supplicant is logg ...
Allied Telesis AT-S63 - page 373

AT-S63 Management Software Features Guide Section VIII: Port Security 373 RADIUS Accounting The AT-S63 Management Software supports RADIUS accounting for switch ports set to the Authenticator ro le. This feature sends informatio n to the RADIUS server about the sta tus of its supplicants. You can view this information on the RADIUS se rver to monit ...
Allied Telesis AT-S63 - page 374

Chapter 31: 802.1x Port-based Network Access Con trol 374 Section VIII: Port Security General Steps Here are the general steps to implementing 802.1x Port-based Network Access Control and RADIUS a c counting on the switch: 1. You must install a RADIUS se rver on one or more of your network servers or management stations. Authentication pro tocol se ...
Allied Telesis AT-S63 - page 375

AT-S63 Management Software Features Guide Section VIII: Port Security 375 Guidelines The following are general guide lines to using this feature:  Ports operating und er port-based access control do not support dynamic MAC address learning.  The appropriate port role for a port o n the AT-9400 Switch connected to a RADIUS authentication serve ...
Allied Telesis AT-S63 - page 376

Chapter 31: 802.1x Port-based Network Access Con trol 376 Section VIII: Port Security  An authenticator port cannot be part of a static port t runk, LACP port trunk, or port mirror .  If a switch port set to the supplicant role is connected to a port on another switch that is not set to the authenticator role, the port, after a timeout period ...
Allied Telesis AT-S63 - page 377

AT-S63 Management Software Features Guide Section VIII: Port Security 377 Here are guidelines for adding VLAN assignments to su pplicant accounts on a RADIUS server:  The VLAN can be either port-base d or tagged.  The VLAN must already exist on the switch.  A client can have only one VLAN associated wit h it on the RADIUS server .  When ...
Allied Telesis AT-S63 - page 378

Chapter 31: 802.1x Port-based Network Access Con trol 378 Section VIII: Port Security ...
Allied Telesis AT-S63 - page 379

Section IX: Manageme nt Security 379 Section IX Management Security The chapters in this section descr ibe the management security features of the AT-9400 Switch. The chapters includ e:  Chapter 32, “W eb Server” on page 381  Chapter 33, “Encryption Ke ys” on page 387  Chapter 34, “PKI Certificates and SSL” on p age 397  Cha ...
Allied Telesis AT-S63 - page 380

380 Section IX: Management Security ...
Allied Telesis AT-S63 - page 381

Section IX: Manageme nt Security 381 Chapter 32 W eb Server The sections in this chapter a re:  “Supported Platforms” on p age 382  “Overview” on page 383  “Configuring the W eb Server for HTTP” on page 384  “Configuring the W eb Server for HTTPS” on page 385 ...
Allied Telesis AT-S63 - page 382

Chapter 32: Web Server 382 Section IX: Management Security Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Switches a ...
Allied Telesis AT-S63 - page 383

AT-S63 Management Software Features Guide Section IX: Management Securi ty 383 Overview The AT-S63 Management Software has a web server and a specia l web browser interface that provide the ability to remotely manage the switch from a management workstation on your netwo rk using a web browser. (For instructions on the switch’s web browser interf ...
Allied Telesis AT-S63 - page 384

Chapter 32: Web Server 384 Section IX: Management Security Configuring the Web Server for HTTP The following steps configure the w eb serve r for non-secure HTTP operation. The steps re ference only the command line commands, but the web server can be configure d from the menus interface, too. 1. Disable the web server with the DISABLE HTTP SERVER ...
Allied Telesis AT-S63 - page 385

AT-S63 Management Software Features Guide Section IX: Management Securi ty 385 Configuring the Web Server for HTTPS The following sections outline the steps for configuring t he web server on the switch for HTTPS operation with a self-signed or CA certificate. Th e steps reference only the command line command s, but the web server can be configure ...
Allied Telesis AT-S63 - page 386

Chapter 32: Web Server 386 Section IX: Management Security 6. After receiving the certificates from the CA, down load them into the switch’s file syste m using t he LOAD METHOD=TFTP or LOAD METHOD=XMODEM command. 7. Add the certificates to the certificate data base with the ADD PKI CERTIFICATE command. 8. Disable the web server with the DISABLE H ...
Allied Telesis AT-S63 - page 387

Section IX: Manageme nt Security 387 Chapter 33 Encryption Keys The sections in this chapter a re:  “Supported Platforms” on p age 388  “Overview” on page 389  “Encryption Key Length” on pag e 390  “Encryption Key Guidelines” on page 391  “T echnical Overview” on page 392 For an overview of the procedures to confi ...
Allied Telesis AT-S63 - page 388

Chapter 33: Encrypti on Keys 388 Section IX: Management Security Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 Swit ...
Allied Telesis AT-S63 - page 389

AT-S63 Management Software Features Guide Section IX: Management Securi ty 389 Overview Protecting your managed switches from u nauthorized management access is an important role for a netwo rk manager. Network operations and security can be severely compromised if an in truder gains access to critical switch information, such as a manager’s lo g ...
Allied Telesis AT-S63 - page 390

Chapter 33: Encrypti on Keys 390 Section IX: Management Security Encryption Key Length When you create a key pair, you have to specify its length in bits. The range is 512, the default, to 1,536 bits, in increments of 256 bits. The longer the key, the more difficult it is for someone to decipher. If you are particularly concerned about the safety o ...
Allied Telesis AT-S63 - page 391

AT-S63 Management Software Features Guide Section IX: Management Securi ty 391 Encryption Key Guidelines Observe the following guidelines when creating an encryption key pair:  Web browser encrypt ion requires only one key pair .  SSH encryption requires two key p a irs. The keys must be of dif ferent lengths of at least one increment (256 bi ...
Allied Telesis AT-S63 - page 392

Chapter 33: Encrypti on Keys 392 Section IX: Management Security Technical Overview The encryption feature provides the follo wing data security services:  Data encryptio n  Data authen tication  Key exchange algorithms  Key creation and stora ge Data Encryption Data encryption for switches is driven by the need for organiza tions to ke ...
Allied Telesis AT-S63 - page 393

AT-S63 Management Software Features Guide Section IX: Management Securi ty 393 algorithm and key . For a given input block of plaintext ECB always produces the same block of ciphertext.  Cipher Block Chaining (CBC) is the most popular form of DES encryption. CBC also operates on 64-bit blocks of data, but in cludes a feedback step which chains c ...
Allied Telesis AT-S63 - page 394

Chapter 33: Encrypti on Keys 394 Section IX: Management Security secret. Only the decryption, or private key, needs to be kept secret. The other name for this type of algorithm is public key e ncryption. The public and private key pair cannot be randomly assigned, but must be generated together. In a typical scenario, a decryption station g enerate ...
Allied Telesis AT-S63 - page 395

AT-S63 Management Software Features Guide Section IX: Management Securi ty 395  It is very hard to find another messag e and key which give the same hash The two most commonly used one-way hash a lgorithms are MD5 (Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA- ...
Allied Telesis AT-S63 - page 396

Chapter 33: Encrypti on Keys 396 Section IX: Management Security A Diffie-Hellman algorithm requires more processing overhead than RSA- based key exchange schemes, but it does not need the initial exchange of public keys. Instead, it uses publish ed and well t ested public key values. The security of the Diffie-Hellman algorith m depends on these v ...
Allied Telesis AT-S63 - page 397

Section IX: Manageme nt Security 397 Chapter 34 PKI Certificates and SSL The sections in this chapter a re:  “Supported Platforms” on p age 398  “Overview” on page 399  “T ypes of Certificates” on p age 399  “Distinguished Names” on p age 401  “SSL and Enhanced S t acking” on page 4 03  “Guidelines” on p ag ...
Allied Telesis AT-S63 - page 398

Chapter 34: PKI Certificat es and SSL 398 Section IX: Management Security Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Lay ...
Allied Telesis AT-S63 - page 399

AT-S63 Management Software Features Guide Section IX: Management Securi ty 399 Overview This chapter describes the second part of the encryption feature of the AT-S63 Management Software—PKI certificates. The first part is explained in Chapter 33, “Encryption Ke ys” on page 387. Encryption keys and certificates allow you to encry pt the commu ...
Allied Telesis AT-S63 - page 400

Chapter 34: PKI Certificat es and SSL 400 Section IX: Management Security network equipment. With private CAs, companies can keep tra ck of the certificates and control access to various network devices. If your company is large enough, it might have a private CA and you might want the group to issue the certificate for the AT-9400 Switch so that y ...
Allied Telesis AT-S63 - page 401

AT-S63 Management Software Features Guide Section IX: Management Securi ty 401 Distinguished Names Part of the task to creating a self-signed certificate or enrollment request is selecting a distinguished name . A distingu ished name is integrated into a certificate along with the key an d can have up to five parts. The parts are:  cn - common n ...
Allied Telesis AT-S63 - page 402

Chapter 34: PKI Certificat es and SSL 402 Section IX: Management Security If your network has a Domain Name System and you mapped a name to the IP address of a switch, you can specify the swit ch’s name instead of the IP address as the distinguished name. For those switches that do not ha ve an IP address, such as slave switches of an enhanced st ...
Allied Telesis AT-S63 - page 403

AT-S63 Management Software Features Guide Section IX: Management Securi ty 403 SSL and Enhanced Stacking Secure Sockets Layer (SSL) is supported in an enhanced stack, but only when all switches in the sta ck are using the feature. When a switch’s web server is operating in HTTP, management packets are transmitted in plaintext. When it operates in ...
Allied Telesis AT-S63 - page 404

Chapter 34: PKI Certificat es and SSL 404 Section IX: Management Security Guidelines The guidelines for creating certificates are:  A certificate can have only one key .  A switch can use only those certificates th at contain a key that was generated on the switch.  Y ou can create multip le certificates on a switch, but the device uses th ...
Allied Telesis AT-S63 - page 405

AT-S63 Management Software Features Guide Section IX: Management Securi ty 405 Technical Overview This section describes the Secure Sockets Layer (SSL) feature , a security protocol that provides a secure and private TCP connection between a client and server. SSL can be used with many higher la yer prot ocols including HTTP, File Transfer Protocol ...
Allied Telesis AT-S63 - page 406

Chapter 34: PKI Certificat es and SSL 406 Section IX: Management Security SSL uses asymmetrical (Public Key) encryption to establish a conne ction between client and server, and symmetrical (Secret Key) encryption for the data transfer phase. User Verification An SSL connection h as two phases: handsh ake and data transfer . The handshake initiates ...
Allied Telesis AT-S63 - page 407

AT-S63 Management Software Features Guide Section IX: Management Securi ty 407 To verify the authenticity of a server, the serve r has a public and private key. The public key is given to the user. SSL uses certificates for authentication. A certificate binds a public key to a server name. A certification authorit y (CA) issues ce rtificates after ...
Allied Telesis AT-S63 - page 408

Chapter 34: PKI Certificat es and SSL 408 Section IX: Management Security this, and other attacks, PKI provides a means for secure transfer of public keys by linking an identity and that ide ntity’s public key in a secure certificate. Caution Although a certificate binds a public key to a subject to ensure the public key’s security, it does not ...
Allied Telesis AT-S63 - page 409

AT-S63 Management Software Features Guide Section IX: Management Securi ty 409 Elements of a Public Key Infrastructure A public key infrastructure is a set of applicatio ns which manage the creation, retrieval, validation and storage of certificates. A PKI consists of the following key elements:  At least one certification authority (CA), which ...
Allied Telesis AT-S63 - page 410

Chapter 34: PKI Certificat es and SSL 410 Section IX: Management Security Certificate Validation To validate a certificate, the end en tity verifies the signature in the certificate, using the public key of the CA who issued the certificate. CA Hierarchies and Certificate Chains It may not be practical for every individu al certificate in an organi ...
Allied Telesis AT-S63 - page 411

AT-S63 Management Software Features Guide Section IX: Management Securi ty 411 PKI Implementation The following sections discuss the implement ation of PKI on the AT-9400 Switch. The following topics are covered:  PKI S tandards  Certificate Retrieval and S torage  Certificate V alidation  Root CA Certificates PKI Standards The followin ...
Allied Telesis AT-S63 - page 412

Chapter 34: PKI Certificat es and SSL 412 Section IX: Management Security ...
Allied Telesis AT-S63 - page 413

Section IX: Manageme nt Security 413 Chapter 35 Secur e Shell (SSH) The sections in this chapter a re:  “Supported Platforms” on p age 414  “Overview” on page 415  “Support for SSH” on pag e 416  “SSH Server” on page 4 17  “SSH Clients” on p age 418  “SSH and Enhanced S tacking” on page 419  “SSH Confi ...
Allied Telesis AT-S63 - page 414

Chapter 35: Secure She ll (SSH) 414 Section IX: Management Security Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic Layer 3 S ...
Allied Telesis AT-S63 - page 415

AT-S63 Management Software Features Guide Section IX: Management Securi ty 415 Overview Secure management is increasingly important in modern networks, as the ability to easily and effectively manage switches and the requ irement for security are two universal requireme nts. Switches are oft en remotely managed using remote sessions via the Telnet ...
Allied Telesis AT-S63 - page 416

Chapter 35: Secure She ll (SSH) 416 Section IX: Management Security Support for SSH The AT-S63 implementation of the SSH protocol is complia nt with the SSH protocol versions 1 .3, 1.5, and 2.0. In addition, the following SSH opt ions and features are supported:  Inbound SSH connections (server mo de) is supported.  The following security alg ...
Allied Telesis AT-S63 - page 417

AT-S63 Management Software Features Guide Section IX: Management Securi ty 417 SSH Server When the SSH server is enabled, connections from SSH clients are accepted. When the SSH server is di sabled, connect ions from SSH clients are rejected by the switch. Within the switch, the AT-S63 Management Software uses well-known port 22 as th e SSH default ...
Allied Telesis AT-S63 - page 418

Chapter 35: Secure She ll (SSH) 418 Section IX: Management Security SSH Clients The SSH protocol provides a secure connection be tween the switch and SSH clients. After you have configured th e SSH server, you need to install SSH client software on your manageme nt PC. The AT-S63 Management Software supports both SSH1 and SSH2 clients. You can down ...
Allied Telesis AT-S63 - page 419

AT-S63 Management Software Features Guide Section IX: Management Securi ty 419 SSH and Enhanced Stacking The AT-S63 Management Software allows for encrypted SSH management sessions between a management station and a master switch of an enhanced stack, but not with sla v e switches, as explained in this section. When you remotely manage a sla v e sw ...
Allied Telesis AT-S63 - page 420

Chapter 35: Secure She ll (SSH) 420 Section IX: Management Security Because enhanced stacking does not allow for SSH encrypted management sessions between a management station and a slave switch, you configure SSH only on the ma ster switch of a stack. Activating SSH on a slave switch has no affect. ...
Allied Telesis AT-S63 - page 421

AT-S63 Management Software Features Guide Section IX: Management Securi ty 421 SSH Configuration Guidelines Here are the guidelines to configuring SSH:  SSH requires two encryption key p airs. One key pair functions as the host key and the other as the server key .  The two encryption key pairs must be of different lengths of at least one inc ...
Allied Telesis AT-S63 - page 422

Chapter 35: Secure She ll (SSH) 422 Section IX: Management Security General Steps to Configuring SSH Configuring the SSH server involves the fo llowing procedures: 1. Create two encryption key pairs on the switch . One pair will function as the host key and the other the se rver key. 2. Configure and activate the Secure Shell serve r on the switch ...
Allied Telesis AT-S63 - page 423

Section IX: Manageme nt Security 423 Chapter 36 T ACACS+ and RADIUS Pr otocols This chapter describes the two aut h entication protocols TACACS+ and RADIUS. Sections in the chapter in clude:  “Supported Platforms” on p age 424  “Overview” on page 425  “Guidelines” on p age 427 ...
Allied Telesis AT-S63 - page 424

Chapter 36: TACACS+ and RADIUS Prot ocols 424 Section IX: Management Security Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Basic ...
Allied Telesis AT-S63 - page 425

AT-S63 Management Software Features Guide Section IX: Management Securi ty 425 Overview TACACS+ and RADIUS are authentication protocols that can e nhance the security of your network. In general terms, these authentication pro tocols transfer the task of authenticating network access from a network device to an authentication protocol server. The A ...
Allied Telesis AT-S63 - page 426

Chapter 36: TACACS+ and RADIUS Prot ocols 426 Section IX: Management Security When a network manager logs in to a swit ch to manage the device, the switch passes the username and password entered by the manager to the authentication protocol server. The server checks to see if the username and password are valid. This is referred to as au thenticat ...
Allied Telesis AT-S63 - page 427

AT-S63 Management Software Features Guide Section IX: Management Securi ty 427 Guidelines Here are the main steps to using the TACACS+ or RADIUS client on the switch. 1. Install a TACACS+ or RADIUS server on one or more of your network servers or management stations. Authentica tion protocol server software is not available from Allied Telesis. 2. ...
Allied Telesis AT-S63 - page 428

Chapter 36: TACACS+ and RADIUS Prot ocols 428 Section IX: Management Security maximum length for a password is 16 alphanumeric characters and spaces. – To create an account for a supplicant connected to an authenticator port set to the MAC address-based authentication mode, enter the MAC address of the node used by the supplicant as both its user ...
Allied Telesis AT-S63 - page 429

AT-S63 Management Software Features Guide Section IX: Management Securi ty 429 Note If no authentication server re sponds or if no servers have been defined, the AT-S63 Management So ftware defaults to the standard manager and operator accounts. Note For more information on TACACS+, refer to the RFC 1492 standard. For more information on RADIUS, re ...
Allied Telesis AT-S63 - page 430

Chapter 36: TACACS+ and RADIUS Prot ocols 430 Section IX: Management Security ...
Allied Telesis AT-S63 - page 431

Section IX: Manageme nt Security 431 Chapter 37 Management Access Contr ol List This chapter explains how to restri ct Telnet and web browser managemen t access to the switch with the ma n agement access control list (ACL). Sections in this chapter include:  “Supported Platforms” on p age 432  “Overview” on page 433  “Parts of a ...
Allied Telesis AT-S63 - page 432

Chapter 37: Manage ment Access Control Li st 432 Section IX: Management Security Supported Platforms This feature is supported on the following AT-9 400 Switches:  Layer 2+ Models – AT-9408LC/SP – AT-9424T/GB – AT-9424T/SP  Basic Layer 3 Models – AT-9424T – AT-9424Ts – AT-9424Ts/XP – AT-9448T/SP – AT-9448Ts/XP  S tack of Ba ...
Allied Telesis AT-S63 - page 433

AT-S63 Management Software Features Guide Section IX: Management Securi ty 433 Overview This chapter explains how t o restrict remote management access of a switch by creating a management ac cess control list (management ACL). This feature controls which management sta tions can remotely manage the device using the Telnet applicat ion protocol or ...
Allied Telesis AT-S63 - page 434

Chapter 37: Manage ment Access Control Li st 434 Section IX: Management Security Parts of a Management ACE An ACE has the following three p arts:  IP address  Subnet mask  Application IP Address You can specify the IP address of a specific man agement station or a subnet. Mask The mask indicates the parts of the IP add ress the switch shou ...
Allied Telesis AT-S63 - page 435

AT-S63 Management Software Features Guide Section IX: Management Securi ty 435 Guidelines Below are guidelines for the management ACL:  The default setting for this feature is disab led.  A switch can have only one management ACL.  A management ACL can have up to 256 ACEs.  An ACE must have an IP address and mask.  All management ACE ...
Allied Telesis AT-S63 - page 436

Chapter 37: Manage ment Access Control Li st 436 Section IX: Management Security Examples Following are several examples of ACEs. This ACE allows the management sta tion with the IP address 149.11.11.11 to remotely manage the switch using either the Telnet application protocol or a web browser, and to ping the device: IP Address: 149.11.11.11 Mask: ...
Allied Telesis AT-S63 - page 437

AT-S63 Management Software Features Guide Section IX: Management Securi ty 437 The two ACEs in this management ACL permit remote management from the management station with the IP addr ess 149.11.11.11 and all management stations in the subnet 14 9.22.22.0: ACE #1 IP Address: 149.11.11.11 Mask: 255.255.255.255 Application Type: All ACE #2 IP Addres ...
Allied Telesis AT-S63 - page 438

Chapter 37: Manage ment Access Control Li st 438 Section IX: Management Security ...
Allied Telesis AT-S63 - page 439

439 Appendix A A T-S63 Management Softwar e Default Settings This appendix lists the factory default settings for the AT-S63 Management Software. It contains the following sections in alphabetical order:  “Address Resolution Pr otocol Cache” on page 441  “Boot Configuration File” on page 442  “BOOTP Relay Agent” on p age 443 ? ...
Allied Telesis AT-S63 - page 440

Appendix A: AT-S63 Manage ment Software Default Settings 440  “T elnet Server” on page 471  “Virtual Route r Redundancy Protocol” on page 472  “VLANs” on page 473  “Web Se rver” on page 474 ...
Allied Telesis AT-S63 - page 441

AT-S63 Management Software Features Guide 441 Address Resolution Protocol Cache The following table lists the ARP cache default setting. ARP Cache Setting Default ARP Cache T imeout 150 seconds ...
Allied Telesis AT-S63 - page 442

Appendix A: AT-S63 Manage ment Software Default Settings 442 Boot Configuration File The following table lists the names of the default configuration files. Boot Configuration File Default S tand-alone Switch boot.cfg S tack of A T-9400 Basic Layer 3 Switche s and the A T-S tackXG S t acking Module stack.cfg ...
Allied Telesis AT-S63 - page 443

AT-S63 Management Software Features Guide 443 BOOTP Relay Agent The following table lists the defaul t setting for the BOOT P relay agent. BOOTP Relay Agent Setting Default S tatus Disabled Hop Count 1 1. Hop count i s not adjustable. 4 ...
Allied Telesis AT-S63 - page 444

Appendix A: AT-S63 Manage ment Software Default Settings 444 Class of Service The following table lists the default mappings of IEEE 80 2.1p priority levels to egress port priority queues. IEEE 802.1p Priority Level Port Priority Queue 0Q 1 1 Q0 (lowest) 2Q 2 3Q 3 4Q 4 5Q 5 6Q 6 7 Q7 (highest) ...
Allied Telesis AT-S63 - page 445

AT-S63 Management Software Features Guide 445 Denial of Service Defenses The following table lists the default se ttings for the Denial of Service prevention feature. Denial of Service Prevention Setting Default IP Address 0.0.0.0 Subnet Mask 0.0.0.0 Uplink Port Highest numbered existing port SYN Flood Defense Disabled Smurf Defense Disabled Land D ...
Allied Telesis AT-S63 - page 446

Appendix A: AT-S63 Manage ment Software Default Settings 446 802.1x Port-Based Network Access Control The following table describes the 802.1x Port-based Netwo rk Access Control default settings. The following table lists the defa u lt settings for RADIUS accounting. The following table lists the defa u lt settings for an authenticator port. 802.1x ...
Allied Telesis AT-S63 - page 447

AT-S63 Management Software Features Guide 447 The following table lists the defaul t settings for a supp licant port. VLAN Assignment Enabled Secure VLAN On Control Direction Both Piggyback Mode Disabled Guest VLAN None Supplicant Port Setting Default Auth Period 30 seconds Held Period 60 seconds Max S tart 3 S tart Period 30 seconds User Name (non ...
Allied Telesis AT-S63 - page 448

Appendix A: AT-S63 Manage ment Software Default Settings 448 Enhanced Stacking The following table lists the enhanced stacking default settin g. Enhanced St acking Setting Default Switch S tate Slave ...
Allied Telesis AT-S63 - page 449

AT-S63 Management Software Features Guide 449 Ethernet Protection Switch ing Ring (EPSR) Snooping The following table lists the EPSR default setting. EPSR Setting Default EPSR S tate Disabled ...
Allied Telesis AT-S63 - page 450

Appendix A: AT-S63 Manage ment Software Default Settings 450 Event Logs The following table lists the defa ult settings for both the permanent and temporary event logs. Event Log Setting Default S tatus Enabled Full Log Action Wrap ...
Allied Telesis AT-S63 - page 451

AT-S63 Management Software Features Guide 451 GVRP This section provides the default settings f or GVRP. GVRP Setting Default S tatus Disabled GIP S tatus Enabled Join T imer 20 centiseconds Leave T imer 60 centiseconds Leave All T imer 1000 centiseconds Port Mode Normal ...
Allied Telesis AT-S63 - page 452

Appendix A: AT-S63 Manage ment Software Default Settings 452 IGMP Snooping The following table lists the IG MP Snooping default settings. IGMP Snooping Setting Default IGMP Snooping S tatus Disabled Multicast Host T opology Single Host/ Port (Edge) Host/Router T imeout Interval 260 seconds Maximum IGMP Mul ticast Groups 64 Multicast Router Ports Mo ...
Allied Telesis AT-S63 - page 453

AT-S63 Management Software Features Guide 453 Internet Protocol Version 4 Packet Routing The following table lists the IPv4 packet routing default settings. Note The update and invalid timers ar e not adjustable. The switch does not support the IPv4 routing holddown and flush timers. Packet Routing Setting Default Equal Cost Multi-path (ECMP) Enabl ...
Allied Telesis AT-S63 - page 454

Appendix A: AT-S63 Manage ment Software Default Settings 454 MAC Address-based Port Security The following table lists the MAC addr ess-based port security default settings. MAC Address-based Port Security Setting Default Security Mode Automatic (n o security) Intrusion Action Discard Particip ating No MAC Limit No Limit ...
Allied Telesis AT-S63 - page 455

AT-S63 Management Software Features Guide 455 MAC Address Table The following table lists the defaul t setting for the MAC address t able. MAC Address T able Setting Default MAC Address Aging T ime 300 seconds ...
Allied Telesis AT-S63 - page 456

Appendix A: AT-S63 Manage ment Software Default Settings 456 Management Access Control List The following table lists the defa u lt setting for the management access control list. Management ACL Setting Default S tatus Disabled ...
Allied Telesis AT-S63 - page 457

AT-S63 Management Software Features Guide 457 Manager and Operator Account The following table lists the ma nager and operator account default settings. Note Login names and passwords are ca se sensitive. Manager Account Setting Default Manager Login Name ma nager Manager Password friend Operator Login Name ope rator Operator Password ope rator Con ...
Allied Telesis AT-S63 - page 458

Appendix A: AT-S63 Manage ment Software Default Settings 458 Multicast Listener Discovery Snooping The following table lists the ML D Snooping default settings. MLD Snooping Setting Default MLD Snooping S tatu s Disabled Multicast Host T opology Single Host/ Port (Edge) Host/Router T imeout Interval 260 seconds Maximum MLD Multic ast Groups 64 Mult ...
Allied Telesis AT-S63 - page 459

AT-S63 Management Software Features Guide 459 Public Key Infrastructure The following table lists the PKI defa u lt settings, including the generate enrollment request settings. PKI Setting Default Switch Distinguished Name None Maximum Number of Certificates 256 Request Name None Key Pair ID 0 Format PEM T ype PKCS10 ...
Allied Telesis AT-S63 - page 460

Appendix A: AT-S63 Manage ment Software Default Settings 460 Port Settings The following table lists the port configuratio n default settings . Port Configuration Setting Default S tatus Enabled 10/100/1000Base-T S peed Auto-Negotiation Duplex Mode Auto-Negotiation MDI/MDI-X Auto-MDI/MDIX Packet Filtering Disabled Packet Rate Li miting Disabled Ove ...
Allied Telesis AT-S63 - page 461

AT-S63 Management Software Features Guide 461 RJ-45 Serial Terminal Port The following table lists the RJ-45 serial terminal port default settings. The baud rate is the only adjustable p arameter on the port. RJ-45 Serial T erminal Port Setting Default Da ta Bi ts 8 S top Bits 1 Parity None Flow Control None Baud Rate 9600 bps ...
Allied Telesis AT-S63 - page 462

Appendix A: AT-S63 Manage ment Software Default Settings 462 Router Redundancy Protocol Snooping The following table lists the RRP Sn ooping default setting. RRP Snooping Setting Default RRP Snooping S tatu s Disabled ...
Allied Telesis AT-S63 - page 463

AT-S63 Management Software Features Guide 463 Server-based Authentication (RADIUS and TACACS+) This section describes the serve r-based authentication, RADIUS, and TACACS+ client default settings. Server-based Authentication The following table describes the server-based authentication default settings. RADIUS Client The following table lists th e ...
Allied Telesis AT-S63 - page 464

Appendix A: AT-S63 Manage ment Software Default Settings 464 Simple Network Management Protocol The following table describes t he SNMP default settings. SNMP Communities Setting Default SNMP S tatus Disabled Authentication Failure T rap S t atus Disabled Community Name public (Read only) Community Name private (Read|W rite) S tatus (public) Enable ...
Allied Telesis AT-S63 - page 465

AT-S63 Management Software Features Guide 465 Simple Network Time Protocol The following table lists the SNTP defau lt settings. SNTP Setting Default System T ime 00:00:00 on January 1, 1980 SNTP S tatus Disabled SNTP Server 0.0.0.0 UTC Offset +0 Daylight Savings T ime (DST) Enabled Poll Interval 600 seconds ...
Allied Telesis AT-S63 - page 466

Appendix A: AT-S63 Manage ment Software Default Settings 466 Spanning Tree Protocols (STP, RSTP, and MSTP) This section provides the spanning tree, STP RSTP, and MSTP, de fault settings. Spanning Tree Switch Settings The following table describes the Spanning Tree Proto col default settings for the switch. Spanning Tree Protocol The following table ...
Allied Telesis AT-S63 - page 467

AT-S63 Management Software Features Guide 467 Multiple Spanning Tree Protocol The following table lists the MSTP d e fault settings. MSTP Setting Default S tatus Disabled Force V ersion MSTP Bridge Hello T ime 2 Bridge Forwarding Delay 15 Bridge Max Age 20 Maximum Hops 20 Configuration Name null Revision Level 0 CIST Priority Increment 8 (32768) Po ...
Allied Telesis AT-S63 - page 468

Appendix A: AT-S63 Manage ment Software Default Settings 468 Secure Shell Server The following table lists the SSH default settings. The SSH port number is not adjustable. SSH Setting Default S tatus Disabled Host Key ID Not Defined Server Key ID Not Defined Server Key Expiry T ime 0 hours Login T imeout 180 seconds SSH Port Number 22 ...
Allied Telesis AT-S63 - page 469

AT-S63 Management Software Features Guide 469 Secure Sockets Layer The following table lists the SSL defa u lt settings. SSL Setting Default Maximum Number of Sessions 50 Session Cache T imeout 300 seconds ...
Allied Telesis AT-S63 - page 470

Appendix A: AT-S63 Manage ment Software Default Settings 470 System Name, A dministrato r, and Comments Settings The following table describes the IP default settings . IP Setting Default System Name None Administrator N one Comment s None ...
Allied Telesis AT-S63 - page 471

AT-S63 Management Software Features Guide 471 Telnet Server The following table lists the Telnet server default settings. The Telnet port number is not a djustable. T elnet Server Setting Default T elnet Server Enabled T elnet Port Number 23 NULL Character Of f ...
Allied Telesis AT-S63 - page 472

Appendix A: AT-S63 Manage ment Software Default Settings 472 Virtual Router Redundancy Protocol The following table lists the VRRP d efault setting. VRRP Setting Default S tatus Disabled ...
Allied Telesis AT-S63 - page 473

AT-S63 Management Software Features Guide 473 VLANs This section provides the VLAN default settin gs. VLAN Setting Default Default VLAN Name Default_VLAN (all ports) Management VLAN ID 1 (Default_VLAN) VLAN Mode User Configured Uplink Port None Ingress Filtering Disabled ...
Allied Telesis AT-S63 - page 474

Appendix A: AT-S63 Manage ment Software Default Settings 474 Web Server The following table lists the we b server default settings. Web Server Configuration Setting Default S tatus Enabled Operati ng Mode HTTP HTTP Port Number 8 0 HTTPS Port Nu mber 443 ...
Allied Telesis AT-S63 - page 475

475 Appendix B SNMPv3 Configuration Examples This appendix provides two example s of SNMPv3 configuration using the SNMPv3 Table menus and a worksheet to use as an aid when configuring the SNMPv3 protocol. It incl udes the following sections:  “SNMPv3 Manager Configuration” on p age 476  “SNMPv3 Operator Configuration” on p age 477 ? ...
Allied Telesis AT-S63 - page 476

Appendix B: SNMPv3 Configura tion Examples 476 SNMPv3 Configuration Examples  This appendix provides SNMPv3 configuration e xamples for the following types of users:  Manager  Operator In addition an SNMPv3 Configuration Table is provid ed to record your SNMPv3 configuration. For more information about the SNMPv3 protocol, see Chapter 19, ...
Allied Telesis AT-S63 - page 477

AT-S63 Management Software Features Guide 477 Configure SNMPv3 SecurityToGroup Table User Name:s ystemadmi n24 Security Mode l:v3 Group Name: Man agers Storage Typ e: NonVol atile Configure SNMPv3 Notify Table Notify Name : sysadmi nTrap Notify Tag: sysadmin Tag Notify Type : Trap Storage Typ e: NonVol atile Configure SNMPv3 Target Address Table Ta ...
Allied Telesis AT-S63 - page 478

Appendix B: SNMPv3 Configura tion Examples 478 Configure SNMPv3 View Table Menu View Name : internet View Subtr ee OID: 1 .3.6.1 (or internet) Subtree Mas k: View Type : Included Storage Ty pe: NonVo latile Configure SNMPv3 Access Table Group Name : Operato rs Security Mo del: SNMPv3 Security Le vel: Authenticatio n Read View Name : internet Write ...
Allied Telesis AT-S63 - page 479

AT-S63 Management Software Features Guide 479 Security Model Security Level Read View Name Wri te Vi ew N am e Notify View Name S torage T ype SNMPv3 SecurityT oGroup T able User Name Security Model Group Name S torage T ype SNMPv3 Notify T able Notify Name Notify T ag Notify T ype S torage T ype SNMPv3 T arget Address T able T arget Address Name T ...
Allied Telesis AT-S63 - page 480

Appendix B: SNMPv3 Configura tion Examples 480 Security Model Security Level S torage T ype SNMPv3 Parameters (Continued) ...
Allied Telesis AT-S63 - page 481

481 Appendix C Featur es and S tandards This appendix lists the features an d standards of the AT-9400 Switch. Section include:  ”10/100/1000Base-T T wisted Pair Port s” on page 482  ”Denial of Service Defenses” on p age 482  ”Fiber Optic Ports (A T-9408LC/SP Switch)” on p age 483  ”File System” on page 483  ”Ethern ...
Allied Telesis AT-S63 - page 482

Appendix C: Features an d Standards 482 10/100/1000Base-T Twisted Pair Ports IEEE 802.1d Bridging IEEE 802.3 10Base -T IEEE 802.3u 100Base-TX IEEE 802.3ab 1000Base-T IEEE 802.3u Auto-Negotiation IEEE 802.3x 10/100 Mbps Flow Control / Backpressure IEEE 802.3z 1000 Mbps Flow Control — Auto-MDI/MDIX — Head of Line Blocking — Eight Egress Queues ...
Allied Telesis AT-S63 - page 483

AT-S63 Management Software Features Guide 483 Fiber Optic Ports (AT-9408LC/SP Switch) IEEE 802.1d Bridging IEEE 802.3z 1000Base-SX — Head of Line Blocking — Eight Egress Queues Per Port File System — 8 megabyte storage capacity DHCP and BOOTP Clients RFC 2131 DHCP client RFC 951, 1542 BOOTP client Internet Protocol Multicasting RFC 1112 IGMP ...
Allied Telesis AT-S63 - page 484

Appendix C: Features an d Standards 484 RFC 826 Address Resolution Protocol — Equal Cost Multi-path — Split Horizon and Split Horizon with Poison Reverse — Autosummarization of Routes RFC 1542 BOOTP Relay MAC Address Table — Storage capacity of 16K entries Management Access and Security RFC 1157 SNMPv1 RFC 1901 SNMPv2 RFC 3411 SNMPv3 RFC 14 ...
Allied Telesis AT-S63 - page 485

AT-S63 Management Software Features Guide 485 Management Access Methods Enhanced Stacking ™ Out-of-band management (serial port) In-band management (over the network) using Telne t, SSH, web browser, and SNMP Management Interfaces Menus Command Line Web Browser SNMP v1, v2, & v3 Management MIBs RFC 1213 MIB-II RFC 1215 TRAP MIB RFC 1493 Bridg ...
Allied Telesis AT-S63 - page 486

Appendix C: Features an d Standards 486 Port Security IEEE 802.1x Port-based Netw ork Access Control: Supports multiple supplicants per port and th e following authentication methods: EAP-MD5 EAP-TLS EAP-TTLS PEAP RFC 2865 RADIUS Client RFC 2866 RADIUS Accounting — MAC Address-based security Port Trunking and Mirroring IEEE 802.3ad Link Aggregati ...
Allied Telesis AT-S63 - page 487

AT-S63 Management Software Features Guide 487 RFC 1757 RMON Groups 1, 2, 3, and 9 Traffic Control RFC 2386 Quality of Service featuring: — Layer 2, 3, and 4 criteria — Flow Groups, Traffic Classes, and Policies — DSCP Replacement — 802.1q Priority Replaceme nt — Type of Service Replacement — Type of Service to 802.1q Priority Replacemen ...
Allied Telesis AT-S63 - page 488

Appendix C: Features an d Standards 488 — MAC Address-based VLANs (Not supported on the AT-9408LC/SP, AT-9424T/GB, and AT-9424T/SP switches.) IEEE 802.3ac VLAN Ta g Frame Extension IEEE 802.1P GARP VLAN Registration Protocol Virtual Router Redundancy Protocol RFC 3768 Virtual Router Redundancy Protocol ...
Allied Telesis AT-S63 - page 489

489 Appendix D MIB Objects This appendix lists the SNMP MIB objects in the p rivate Allied Telesis MIBs that apply to the AT-S63 Management Software a nd the AT-9400 Switch. Sections in the appendix include:  ”Access Control Lists” on page 490  ”Class of Service” on p age 491  ”Date, T ime, and SNTP Client” on page 492  ”D ...
Allied Telesis AT-S63 - page 490

Appendix D: MIB Objects 490 Access Control Li sts T able 31. Access Control Lists (AtiStackSwitch MIB) Object Name OID atiStkSwACLConfigTable 1.3.6.1.4.1.2 07.8.17.9.1 atiStkSwACLConfigEntry 1.3.6.1.4.1.207.8.17.9.1.1 atiStkSwACLModuleId 1.3.6.1.4.1.207.8.1 7.9.1.1.1 atiStkSwACLId 1.3.6.1.4.1.207.8.17.9.1.1 .2 atiStkSwACLDescription 1.3.6.1.4.1.207 ...
Allied Telesis AT-S63 - page 491

AT-S63 Management Software Features Guide 491 Class of Service T able 32. CoS Scheduling (AtiStackSwitch MIB) Object Name OID atiSwQoSGroup 1.3.6.1.4.1.207.8.17.7 atiS tkSwQoSGroupNumberOfQueues 1.3.6.1.4.1.207.8.17.7.1 atiS tkSwQoSGroupSched ulingMode 1.3.6.1.4.1 .207.8.17.7.2 T able 33. CoS Priority to Egress Queue Mappings (AtiStackSwitch MIB) O ...
Allied Telesis AT-S63 - page 492

Appendix D: MIB Objects 492 Date, Time, and SNTP Client T able 36. Date, Time, and SNTP Client (AtiStackSwitch MIB) Object Name OID atiStkSysSystemTimeConfig 1.3.6.1.4.1.2 07.8.17.1.5 atiStkSwSysCurrentTime 1.3.6.1.4.1.207.8.17.1.5.1 atiStkSwSysCurrentDate 1.3.6.1.4.1.207.8.1 7.1.5.2 atiStkSwSysSNTPStatus 1.3.6.1.4.1.207.8.1 7.1.5.3 atiStkSwSysSNTP ...
Allied Telesis AT-S63 - page 493

AT-S63 Management Software Features Guide 493 Denial of Service Defenses T able 37. LAN Address and Subnet Mask (AtiStackSwitch MIB) Object Name OID atiStkDOSConfig 1.3.6.1.4.1.207.8.17.2.6 atiStkDOSConfigLANIpAddress 1.3.6.1.4.1.207.8 .17.2.6.1 atiStkDOSConfigLANSubnetMask 1.3.6.1.4.1.207.8.17.2.6 .2 T able 38. Denial of Service Defenses (AtiStack ...
Allied Telesis AT-S63 - page 494

Appendix D: MIB Objects 494 Enhanced Stacking T able 39. Switch Mode and Discovery (AtiStackInfo MIB) Object Name OID atiswitchEnhancedStackingInfo 1.3.6.1.4.1.207.8.16.1 atiswitchEnhStackMode 1.3.6.1.4.1.207.8.16.1.1 atiswitchEnhStackDiscover 1.3.6 .1.4.1.207.8.16.1.2 atiswitchEnhStackRemoteNumber 1.3.6.1.4.1.207.8.16.1.3 T able 40. Switches of an ...
Allied Telesis AT-S63 - page 495

AT-S63 Management Software Features Guide 495 GVRP T able 41. GVFP Switch Configuration (AtiStackSwitch MIB) Object Name OID atiStkSwGVRPConfig 1.3.6.1.4.1.207.8.17.3.6 atiStkSwGVRPStatus 1.3.6.1.4.1.207.8.17.3.6.1 atiStkSwGVRPGIPStatus 1.3.6.1.4.1.207.8.17.3.6.2 atiStkSwGVRPJoinTimer 1.3.6.1.4.1.207.8 .17.3.6.3 atiStkSwGVRPLeaveTimer 1.3.6.1.4.1.2 ...
Allied Telesis AT-S63 - page 496

Appendix D: MIB Objects 496 atiStkSwGVRPCountersPortNotListening 1.3.6.1.4.1.207.8.1 7 .3.8.1.8 atiStkSwGVRPCountersInvalidPort 1.3.6.1.4.1.207.8.17.3.8.1 .9 atiStkSwGVRPCountersInvalidProtocol 1.3.6.1.4.1.207.8.17.3.8.1 .10 atiStkSwGVRPCountersInvalidFormat 1.3.6.1.4.1.207.8.17.3.8.1 .1 1 atiStkSwGVRPCountersDatabaseFull 1.3.6.1.4.1.2 07.8.17.3.8. ...
Allied Telesis AT-S63 - page 497

AT-S63 Management Software Features Guide 497 MAC Address Table T able 44. MAC Address T able (AtiStackSwitch MIB) Object Name OID atiStkSwMacAddr2VlanTable 1.3.6.1.4.1.207.8 .17.3.3 atiStkSwMacAddr2VlanEntry 1.3.6.1.4.1.207.8.17.3.3.1 atiStkSwMacAddress 1.3.6.1.4.1 .207.8.17.3.3.1.1 atiStkSwMacAddrVlanId 1.3.6.1.4.1.207.8 .17.3.3.1.2 atiStkSwMacAd ...
Allied Telesis AT-S63 - page 498

Appendix D: MIB Objects 498 Management Access Control List T able 46. Management Access Control List S tatus (AtiStackSwitch MIB) Object Name OID atiStkSwSysMgmtACLGroup 1.3.6.1.4.1.207.8.17.1.7 atiStkSwSysMgmtACLStatus 1.3.6.1.4.1.207.8.17.1.7.1 T able 47. Management Access Control List Entries (AtiStackSwitch MIB) Object Name OID atiStkSwSysMgmtA ...
Allied Telesis AT-S63 - page 499

AT-S63 Management Software Features Guide 499 Miscellaneous T able 48. System Reset (AtiStackSwitch MIB) Object Name OID atiStkSwSysGroup 1.3.6.1.4.1.207.8.17.1 atiStkSwSysConfig 1.3.6.1.4.1.207.8.17.1.1 atiStkSwSysReset 1.3.6.1.4.1.207.8.17.1.1 .1 T able 49. Local Interface (AtiStackSwitch MIB) Object Name OID atiStkSwSysGroup 1.3.6.1.4.1.207.8.17 ...
Allied Telesis AT-S63 - page 500

Appendix D: MIB Objects 500 Port Mirroring T able 51. Port Mirroring (AtiStackSwitch MIB) Object Name OID atiStkSwPortMirroringConfig 1.3.6.1.4.1.2 07.8.17.2.2 atiStkSwPortMirroringState 1.3.6 .1.4.1.207.8.17.2.2.1 atiStkSwPortMirroringDestination ModuleId 1.3.6.1.4.1.207.8.17.2.2.4 atiStkSwPortMirroringDestination PortId 1.3.6.1.4.1.207.8.17.2.2.5 ...
Allied Telesis AT-S63 - page 501

AT-S63 Management Software Features Guide 501 Quality of Service T able 52. Flow Groups (AtiS t ackSwitch MIB) Object Name OID atiStkSwQosFlowGrpTable 1.3.6.1.4.1.207.8 .17.7.5 atiStkSwQosFlowGrpEntry 1.3.6.1.4.1.207.8.17.7.5 .1 atiStkSwQosFlowGrpModuleId 1.3.6.1.4.1.207.8.17.7.5 .1.1 atiStkSwQosFlowGrpId 1.3.6.1.4.1.207.8.17.7.5 .1.2 atiStkSwQosFl ...
Allied Telesis AT-S63 - page 502

Appendix D: MIB Objects 502 atiStkSwQosTrafficClassClassPriority 1.3.6.1.4.1.2 07.8.17.7.6.1.9 atiStkSwQosTrafficClassRemarkPriority 1.3.6.1.4.1.207.8.1 7.7.6.1.10 atiStkSwQosTrafficClassToS 1.3.6.1.4.1.2 07.8.17.7.6.1.1 1 atiStkSwQosTrafficClassMoveToSToPriority 1.3.6.1.4.1.2 07.8.17.7.6.1.12 atiStkSwQosTrafficClassMovePriorityToToS 1.3.6.1.4.1.2 ...
Allied Telesis AT-S63 - page 503

AT-S63 Management Software Features Guide 503 Port Configuration and Status T able 55. Port Configuration and S ta tus (AtiStackSwitch MIB) Object Name OID atiStkSwPortConfigTable 1.3.6.1.4.1.207.8.17.2.1 atiStkPortConfigEntry 1.3. 6.1.4.1.207.8.17.2.1.1 atiStkSwModuleId 1.3.6.1.4.1.207.8.17.2.1.1.1 atiStkSwPortId 1.3.6.1.4.1.207.8.17.2.1 .1.2 atiS ...
Allied Telesis AT-S63 - page 504

Appendix D: MIB Objects 504 Spanning Tree T able 56. S panning T ree (AtiStackSwitch MIB) Object Name OID atiStkSwSysConfig 1.3.6.1.4.1.207.8.1 7.1.1 atiStkSwSysSpanningTreeStatus 1.3.6.1.4.1.2 07.8.17.1.1.9 atiStkSwSysSpanningTreeVersion 1.3.6.1.4.1.207.8.1 7.1.1.10 ...
Allied Telesis AT-S63 - page 505

AT-S63 Management Software Features Guide 505 Static Port Trunk T able 57. S tatic Port T runks (AtiStackSwitch MIB) Object Name OID atiStkSwStaticTrunkTable 1.3.6.1.4.1.207.8.17.8.1 atiStkSwStaticTrunkEntry 1.3.6.1.4.1.207.8 .17.8.1.1 atiStkSwStaticTrunkModuleId 1.3.6.1.4.1.207.8.17.8.1 .1.1 atiStkSwStaticTrunkIndex 1.3.6.1.4.1 .207.8.17.8.1.1.2 a ...
Allied Telesis AT-S63 - page 506

Appendix D: MIB Objects 506 VLANs The objects in Table 58 display the specifications o f the Default_VLAN. The objects in Table 59 display the names and VIDs of all the VLANs on a switch, but not the VLAN ports. T able 58. VLAN T able (AtiStackSwitch MIB) Object Name OID atiStkSwVlanConfigTable 1.3.6.1.4.1.207.8.1 7.3.1 atiStkSwVlanConfigEntry 1.3. ...
Allied Telesis AT-S63 - page 507

AT-S63 Management Software Features Guide 507 T able 61. PVID T able (AtiStackSwitch MIB) Object Name OID atiStkSwPort2VlanTable 1.3.6.1.4.1.207.8.17.3.2 atiStkSwPort2VlanEntry 1.3.6.1.4.1.207.8.17.3.2 .1 atiStkSwPortVlanId 1.3.6.1.4.1.207.8.17.3.2.1.1 atiStkSwPortVlanName 1.3.6.1.4.1.207.8.17.3.2 .1.2 ...
Allied Telesis AT-S63 - page 508

Appendix D: MIB Objects 508 ...
Allied Telesis AT-S63 - page 509

509 Index Numerics 802.1p priority level in classifiers 113 802.1Q-compliant VLAN mode 276 802.1x Port-based Network Access Control authentication process 359 authenticator port role 357 default settings 446 described 357 guidelines 375 port roles 360 supplicant port role 357 supported platforms 356 A access control entries (ACE) described 433 exam ...
Allied Telesis AT-S63 - page 510

Index 510 TCP source and destination ports 117 UDP source and destination ports 117 VLAN ID 114 Common and Internal Spanning Tree (CIST) defined 23 8 priority 238 common VLAN 59 community names SNMPv1 and SNMPv2c 68 configuration files. See boot configura tion files configuration name 235 control messages, Ethern et Protection Switching Ring (EPSR) ...
Allied Telesis AT-S63 - page 511

AT-S63 Management Software Features Guide 511 interface monitoring 342 Internet Group Manage ment Protocol (IGMP) snooping default settings 452 described 177 supported platforms 176 Internet Protocol ve rsion 4 routing see also routing interfaces, Routing Information Proto- col (RIP), static routes default settings 453 described 301 examples 324, 3 ...
Allied Telesis AT-S63 - page 512

Index 512 O operator accounts, default settings 457 P password, default 43 path cost 217 permit access control lists 121 ping of death attack 169 PKI. See Public Key Infrastructure (PKI) Platforms 180 point-to-point ports 221 policies described 146 guideli nes 147 port cost 217 port mirror described 95 guideli nes 95 supported platforms 94 port mon ...
Allied Telesis AT-S63 - page 513

AT-S63 Management Software Features Guide 513 encryption keys 416 management sessions 41 server 41, 417 supported platforms 414 Secure Sockets Layer (SSL) See also certificates, encryption key and enhanced stacki ng 403 default settings 469 described 399 encryption 405 supported platforms 398 technical overview 405 secured port security mode 352 se ...
Allied Telesis AT-S63 - page 514

Index 514 Triple DES (3DES) encryption algorithms 393 U UDP destination po rts 117 UDP destination ports in classifie rs 117 UDP source ports 117 UDP source ports in classifiers 117 untagged ports 252 User-based Security Model (USM) authentication 199 username, default 43 V Virtual LAN. See MAC address-b ased VLANs, multiple VLAN modes, port-b ased ...

Manufacturer Allied Telesis Category Dust Collector

Documents that we receive from a manufacturer of a Allied Telesis AT-S63 can be divided into several groups. They are, among others:
- Allied Telesis technical drawings
- AT-S63 manuals
- Allied Telesis product data sheets
- information booklets
- or energy labels Allied Telesis AT-S63
All of them are important, but the most important information from the point of view of use of the device are in the user manual Allied Telesis AT-S63.

A group of documents referred to as user manuals is also divided into more specific types, such as: Installation manuals Allied Telesis AT-S63, service manual, brief instructions and user manuals Allied Telesis AT-S63. Depending on your needs, you should look for the document you need. In our website you can view the most popular manual of the product Allied Telesis AT-S63.

Similar manuals

A complete manual for the device Allied Telesis AT-S63, how should it look like?
A manual, also referred to as a user manual, or simply "instructions" is a technical document designed to assist in the use Allied Telesis AT-S63 by users. Manuals are usually written by a technical writer, but in a language understandable to all users of Allied Telesis AT-S63.

A complete Allied Telesis manual, should contain several basic components. Some of them are less important, such as: cover / title page or copyright page. However, the remaining part should provide us with information that is important from the point of view of the user.

1. Preface and tips on how to use the manual Allied Telesis AT-S63 - At the beginning of each manual we should find clues about how to use the guidelines. It should include information about the location of the Contents of the Allied Telesis AT-S63, FAQ or common problems, i.e. places that are most often searched by users in each manual
2. Contents - index of all tips concerning the Allied Telesis AT-S63, that we can find in the current document
3. Tips how to use the basic functions of the device Allied Telesis AT-S63 - which should help us in our first steps of using Allied Telesis AT-S63
4. Troubleshooting - systematic sequence of activities that will help us diagnose and subsequently solve the most important problems with Allied Telesis AT-S63
5. FAQ - Frequently Asked Questions
6. Contact detailsInformation about where to look for contact to the manufacturer/service of Allied Telesis AT-S63 in a specific country, if it was not possible to solve the problem on our own.

Do you have a question concerning Allied Telesis AT-S63?

Use the form below

If you did not solve your problem by using a manual Allied Telesis AT-S63, ask a question using the form below. If a user had a similar problem with Allied Telesis AT-S63 it is likely that he will want to share the way to solve it.

Manual Allied Telesis AT-S63

Summary

Allied Telesis AT-S63 - page 1

Allied Telesis AT-S63 - page 2

Allied Telesis AT-S63 - page 3

Allied Telesis AT-S63 - page 4

Allied Telesis AT-S63 - page 5

Allied Telesis AT-S63 - page 6

Allied Telesis AT-S63 - page 7

Allied Telesis AT-S63 - page 8

Allied Telesis AT-S63 - page 9

Allied Telesis AT-S63 - page 10

Allied Telesis AT-S63 - page 11

Allied Telesis AT-S63 - page 12

Allied Telesis AT-S63 - page 13

Allied Telesis AT-S63 - page 14

Allied Telesis AT-S63 - page 15

Allied Telesis AT-S63 - page 16

Allied Telesis AT-S63 - page 17

Allied Telesis AT-S63 - page 18

Allied Telesis AT-S63 - page 19

Allied Telesis AT-S63 - page 20

Allied Telesis AT-S63 - page 21

Allied Telesis AT-S63 - page 22

Allied Telesis AT-S63 - page 23

Allied Telesis AT-S63 - page 24

Allied Telesis AT-S63 - page 25

Allied Telesis AT-S63 - page 26

Allied Telesis AT-S63 - page 27

Allied Telesis AT-S63 - page 28

Allied Telesis AT-S63 - page 29

Allied Telesis AT-S63 - page 30

Allied Telesis AT-S63 - page 31

Allied Telesis AT-S63 - page 32

Allied Telesis AT-S63 - page 33

Allied Telesis AT-S63 - page 34

Allied Telesis AT-S63 - page 35

Allied Telesis AT-S63 - page 36

Allied Telesis AT-S63 - page 37

Allied Telesis AT-S63 - page 38

Allied Telesis AT-S63 - page 39

Allied Telesis AT-S63 - page 40

Allied Telesis AT-S63 - page 41

Allied Telesis AT-S63 - page 42

Allied Telesis AT-S63 - page 43

Allied Telesis AT-S63 - page 44

Allied Telesis AT-S63 - page 45

Allied Telesis AT-S63 - page 46

Allied Telesis AT-S63 - page 47

Allied Telesis AT-S63 - page 48

Allied Telesis AT-S63 - page 49

Allied Telesis AT-S63 - page 50

Allied Telesis AT-S63 - page 51

Allied Telesis AT-S63 - page 52

Allied Telesis AT-S63 - page 53

Allied Telesis AT-S63 - page 54

Allied Telesis AT-S63 - page 55

Allied Telesis AT-S63 - page 56

Allied Telesis AT-S63 - page 57

Allied Telesis AT-S63 - page 58

Allied Telesis AT-S63 - page 59

Allied Telesis AT-S63 - page 60

Allied Telesis AT-S63 - page 61

Allied Telesis AT-S63 - page 62

Allied Telesis AT-S63 - page 63

Allied Telesis AT-S63 - page 64

Allied Telesis AT-S63 - page 65

Allied Telesis AT-S63 - page 66

Allied Telesis AT-S63 - page 67

Allied Telesis AT-S63 - page 68

Allied Telesis AT-S63 - page 69

Allied Telesis AT-S63 - page 70

Allied Telesis AT-S63 - page 71

Allied Telesis AT-S63 - page 72

Allied Telesis AT-S63 - page 73

Allied Telesis AT-S63 - page 74

Allied Telesis AT-S63 - page 75

Allied Telesis AT-S63 - page 76

Allied Telesis AT-S63 - page 77

Allied Telesis AT-S63 - page 78